I just set up my custom domain with Firebase Hosting, lets call it mydomain.example.com.
When I navigate to it in Firefox, it shows a toggle next to the domain, that when clicked shows this:
Where the redacted part is my firebase project ID, and the full domain is one of the default domains for Firebase hosting.
What is happening here, exactly, and how can I change the behavior so it doesn't result in these cross-site cookies? Is this related to the Google Auth provider, which I also noticed doesn't use the new custom domain (instead, using one of the default domains) in the popup window for sign-in?
This is a known issue with the Firebase Auth SDK. It is not related to the Google Auth provider. The issue is that the Firebase Auth SDK uses a cookie to store the user's session. The cookie is set to the domain of the Firebase project, which is a default domain for Firebase Hosting. The cookie is set to be secure, so it is not sent over HTTP, but is sent over HTTPS. The cookie is also set to be SameSite=Lax, which means that it is not sent on cross-site requests unless the request is a GET request. The cookie is not sent on cross-site requests that are POST requests, which is the case for the sign-in popup. The cookie is sent on cross-site requests that are GET requests, which is the case for the main page.
To solve this issue, you can set the cookie policy to SameSite=None. This will allow the cookie to be sent on cross-site requests, but it will also require the cookie to be marked as secure. This means that the cookie will only be sent over HTTPS. If you are using a custom domain, you will need to set up HTTPS for your custom domain. If you are using a default domain, you will need to set up HTTPS for your default domain.
Related
I'm building a web application that uses cookies to track the user session. These cookies work flawlessly in development on localhost but they aren't working correctly in production. I suspect this is because I have some cookie settings misconfigured but I'm not sure which.
One thing to note is that the webapp runs at app.goldsky.com and the api runs at api.goldsky.io (note the different TLDs).
The application I'm building uses a tool called WorkOS for user authentication.
The authentication flow is as follows:
User visits website, enters their email and presses the login button
Request is sent to backend (api.goldsky.io)
Backend generates an authentication URL using the WorkOS SDK (of the form api.workos/...) and sends this to the frontend
the frontend navigates to this WorkOS authentication URL and proceeds through the auth flow
If successful, WorkOS redirects the user to my backend (api.goldsky.io/auth/workos/callback)
My backend generates a session token, sets a secure, httpOnly, path=/ cookie with the session token (goldsky_session=...) and redirects the user back to the webapp (app.goldsky.com)
In localhost this all works flawlessly. However, in production I don't see the cookie persist after step 6 completes.
In production, the response to step 5 contains the cookie
however after the redirect back to the webapp, the cookie seems to disappear. Here's the request to app.goldsky.com (the redirect from step 6) and it doesn't have the cookie header.
and just for completeness, here's a screenshot of the cookies for app.goldsky.com - it's empty:
By comparison, the final redirect on localhost contains the cookie:
How come my cookie does not persist after redirecting from api.goldsky.io to app.goldsky.com? Do I need to set the Domain attribute for the cookie? If so, what should I set it to? Maybe this is a SameSite problem?
Turns out I had an nginx misconfiguration issue which was rejecting requests to specific paths. Nginx was only allowing requests to /auth and a few others. My login logic was under /auth but the user query was at /user which nginx was rejecting.
In this article Google want me to set the cookieDomain to my domain name.
But I am using my domain name on other cookies that hold single sign on security tokens.
So do my domain cookies go to Google Analytics?
I think that would open a BIG security hole.
Can't put single sign on security tokens in browser storage as XSS attackers can get to them.
So how can I stop Google Analytics from getting my domain cookies and therefore my security tokens?
I don't want to increase my attack surface!
your domain cookies are exposed trough document.cookie interface and so are available to any script that is executed in a page context. So not only analytics but literally any 3-rd party script implemented on your pages has an access to your domain cookies.
I am building a platform which consists of a public facing 'website' and a PWA which will be on a subdomain on the same server.
Both web apps use the same firebase project and I was wondering if it is possible to share authentication status between the two. i.e. can I redirect a user to the PWA side without them having to login again?
Both apps are written with React, Redux and Node
Store the authentication token in a cookie with the following domain:
.mydomain.com
where mydomain.com is the public site. Now the PWA can access this cookie as a subdomain of mydomain.com.
Subdomains can not access localstorage of the main domain or other subdomains, but can access cookies in the main domain.
If Firebase automatically writes to localstorage, write your own code to delete it from there (or leave it there), and add it as a cookie.
I don't think you need to put the . in front of the domain for your cookie anymore, but you used to and I still do.
I am trying to implement SSO with a vendor, and they require I send a HTTP request. In this HTTP request, there is a custom header for username and password, which is where I pass in the u/p info. If the user is authenticated, then they send back an 'auth cookie'. I'm trying to understand a few things:
What exactly is this auth cookie? Is this a standard thing? or all it means is that its a cookie that has authentication information?
The HTTP request is sent to a domain which is different than mine. i.e., the script that sends the request is on a.com and the URL where I need to send the HTTP request is b.com. The vendor is saying that I am supposed to just 'send' the cookie they return in the response back to the user. This is not working, but I need to understand why - what will the domain of the cookie be? Will it be a.com or b.com? If its b.com, will that work, because the script that is actually making the call will be in a.com, and most browsers don't allow third-party domain cookie. Or is it failing because I am trying to write a cookie with a.com, where the cookie already has data for b.com?
Figured this out. The HTTP returned is just another custom header value, and not a cookie. So, we have to write our own cookie. However, obviously, the other domain doesn't recognise the cookie. So we actually build a reverse proxy in IIS, so that the domain a.com accesses the site through the proxy, called x.a.com, and never see b.com. So the cookie written is recognized by that domain.
We have a non-SSL ASP.NET web app that allows a user to login (ASP forms authentication, inproc).
Once authenticated, we redirect their browser to an external, SSL secured page on another web site / domain altogether that we do not control.
The client is redirected back to a pre-configured url on our original http web app when done.
However, the customer is then asked to "re-login" again on our side which is undesired...
It seems the forms authentication cookie is destroyed when transitioning between HTTP and HTTPS and back again.
How can I keep the forms authentication cookie alive so that the customer does not have to re-authenticate on the round trip?
It's not being destroyed; you're not authenticating on your domain, so the cookie's not being set on your domain, and thus requests on your domain will not contain said authentication cookie.
This is GOOD. If this didn't happen, then every cookie from every domain you ever visited would get sent with every request. Which is obviously 1) crazy and 2) a security hole. Setting a cookie on mydomain.com should never be visible to pages on myotherdomain.com.
If you're using a 3rd party authentication system, like google, facebook, etc, they'll all have some sort of callback token that you'll have to process and set your own cookies.
Consider to set cookie's domain property for your cookies with more specified can be found here or try this code:
Response.Cookies["your_cookie_name"].Domain = "yourdomain.com";
You're looking for a Single Sign On solution.
It might be a little overkill for your problem, for which you might just want to get the same domainname. But if that isn't an option you might want to take a look at:
Windows Identity Foundation