Torii, iframes and 3rd party cookies


We’re using torii + simple auth to authenticate and authorize our ember applications with our authentication service. I’m trying to move from using a popup window for the authentication to using an iframe. It was about to go live until our product manager had a super weird bug that would stop him from getting into the app. The culprit: he was blocking 3rd party cookies.

The problem is that our application ( is trying to authenticate with the auth server ( which sets a cookie to communicate session information. With a popup, has its own window so it’s setting a 1st party cookie and all is well. However, with now living in an iframe on the cookie is a 3rd party cookie and the auth process fails.

Here’s my question: is it possible to set the cookie on the subdomain (i.e. rather than the apex domain ( It seems crazy that a cookie from the same subdomain is even considered a 3rd party cookie but I guess that’s why I’m not a browser dev.

Any help would be greatly appreciated. I really am not very familiar with torii yet and would appreciate any guidance.


This is more web specific, but I believe the service writing the auth cookie with as the domain. Try writing the cookie to instead.