Torii, iframes and 3rd party cookies


#1

We’re using torii + simple auth to authenticate and authorize our ember applications with our authentication service. I’m trying to move from using a popup window for the authentication to using an iframe. It was about to go live until our product manager had a super weird bug that would stop him from getting into the app. The culprit: he was blocking 3rd party cookies.

The problem is that our application (application.example.com) is trying to authenticate with the auth server (authorization.example.com) which sets a cookie to communicate session information. With a popup, authorization.example.com has its own window so it’s setting a 1st party cookie and all is well. However, with authorization.example.com now living in an iframe on application.example.com the cookie is a 3rd party cookie and the auth process fails.

Here’s my question: is it possible to set the cookie on the subdomain (i.e. example.com) rather than the apex domain (authorization.example.com)? It seems crazy that a cookie from the same subdomain is even considered a 3rd party cookie but I guess that’s why I’m not a browser dev.

Any help would be greatly appreciated. I really am not very familiar with torii yet and would appreciate any guidance.


#2

This is more web specific, but I believe the service writing the auth cookie with authorization.example.com as the domain. Try writing the cookie to .example.com instead.