Impossible to safely forward CF_Authorization cookie to my API

This post is about the product “Cloudflare Access”

My protected application is under : https://admin.mydomain.com
The API is under : https://api.admin.mydomain.com

Inside the API, I have the code to validate the CloudFlare JSON web token

However I’m stuck sending the cookie, because of the domain set by Cloudflare.

If I manually change the domain from admin.mydomain.com to → .admin.mydomain.com the navigator doesn’t block the cookie anymore and everything is working fine.

However there is no option in Cloudflare to do this automatically.

99% of the solution is working but I’m stuck here, and I would be surprised if nobody has encounter this issue before.

I’ve tried posting on the Discord but unfortunately got no answer…
By chance, does anyone know a trick to make it work ?

Thanking you by advance

1 Like

image

I’d be inclined to expect a.b.mydomain.com to be sent cookies for b.mydomain.com going off of this message though.

For example, if you set Domain=mozilla.org , cookies are available on subdomains like developer.mozilla.org .

I think it is missing the prefix dot at the beginning : domain should be .admin.mydomain.com for it to be sent.
When I manually add it, the cookie is correctly sent and everything is working well.

Unfortunately Cloudflare doesn’t seem to provide an option to do so.
How can I make this work ?

Can anyone help me on this?
I cannot use the product without being able to pass the CF_Authorization cookie to my API :frowning:

I can’t be the only one experiencing this?

That first dot is no longer required per RFC6265 which replaced RFC2109 (which did require the dot). Can you confirm your browser is up-to-date (which should mean it allows this per RFC6265)?

Ref: http - Share cookie between subdomain and domain - Stack Overflow

1 Like

I totally agree with your link @mcfadyeni, however it doesn’t explain why it is not working without it…
I’ve tried on both Safari (15.2) and Chrome (v103, which I think is using RFC6265 since version 80+)

Do you have separate Access Policies for the different subdomains or a shared one?