Third Party Cookies - Cross Domain APIs w/ Session Tracking

9
votes

Given a CORS API that requires a session cookie to track users as they move through a checkout process, there are issues in multiple browsers where the cookie is not set until after the user visits the site the API is hosted on.

For example:

johnny.com uses an CORS JSON API from jacob.com. jacob.com sets a cookie after the first AJAX call is made, but some browsers will not set the cookie for subsequent calls. Therefore the API will not function as expected.

Browser Behavior:

  • Chrome seems to function fine unless "Third-Party cookies" are deliberately disabled. There doesn't seem to be a workaround for this.

  • IE does not allow the cookie to be set initially unless there is a P3P privacy policy header returned with the initial call.

  • Safari does not allow the cookie to be set initially unless a hack is used (see: http://measurablewins.gregjxn.com/2014/02/safari-setting-third-party-iframe.html)

Any insight on how to work around these issues is greatly appreciated.

1
apisessioncookiescross-domain
I'm facing the exact same situation right now. Have you found a solution that fits your needs?MarioDS
The best solution I've seen is to create a ton of iframes that load and manage data from the other domain. This requires additional header modification so the site allows iframes from other domains.jnrcorp
Thanks for the pointer. Do cookies work in iframes even if the frame loads another domain?MarioDS
Yes. I've never personally run into an issue with cookies within an iframe. As long as the iframe loads, the cookies work.jnrcorp

1 Answers

7
votes

Unfortunately, it seems there are not option to make that work across all browsers.

Safari now restricts third party use of cookies. It seems the best is to evaluate alternatives :

  • Setup a proxy server that will redirect the calls to the different services (for example, when you hit johnny.com/jacob/abc, act as proxy to retrieve jacob.com/abc)
  • Use oauth login on API (it might be impractical)
  • Move the API under johnny.com/api/...

Paypal has also created several js based solutions to try to go around this kind of problems : https://medium.com/@bluepnume/introducing-paypals-open-source-cross-domain-javascript-suite-95f991b2731d