K
Kinde•13mo ago
Vector

Cookie Problem

Hello, I have a problem with a created cookie, because I need a cookie that has path '/', is httpOnly, is secure and SameSite None, is this possible to customize default kinde_token to have these parameters?
12 Replies
Vector
VectorOP•13mo ago
@Admin bump
onderay
onderay•13mo ago
Thanks for the question @Vector I am going to check this with a team member more experienced with PHP. Shouldn't be too long before I can give you an update.
Vector
VectorOP•13mo ago
Okay 🙂
onderay
onderay•13mo ago
Hey @Vector We cannot change the Kinde cookie attributes. That would affect every user on Kinde, and we don't have customizations for cookies. We don't see a compelling case for it. Can you confirm why are needing to make those changes to the cookie?
Vector
VectorOP•13mo ago
I got a bit different app autehntication, cause my api will be called from different domens, I dont want to push user to login in every front-end domain, instead I want to just save token on my api domain, and access it everytime I send request to it
onderay
onderay•13mo ago
Are they different sub domains? Eg. drive.google.com
Vector
VectorOP•13mo ago
yeah, dashboard is on dashboard.domain.com, api is on api.domain.com, frontpage it on domain.com etc
rai_kinde
rai_kinde•13mo ago
Hi @Vector , can you please clarify my understanding of your setup: - You have API endpoints accessible via https://api.domain.com/... - You have 1 frontend accessible via https://dashboard.domain.com - You have 1 frontend accessible via https://frontend.domain.com If you enduser goes to https://dashboard.domain.com , logins, then navigates to https://frontend.domain.com , you want them to stay logged in? With the API endpoint, is that meant only be accessed from those 2 frontends only? And you want to protect the endpoint by ensuring only a logged in user can access it?
Vector
VectorOP•13mo ago
Exactly
rai_kinde
rai_kinde•13mo ago
Hi @Vector , I'm following up with the rest of the team regarding the part about staying logged in across subdomains. With protecting your API endpoint. once an enduser logs in, you can use the access token received from Kinde, and pass that in the Authorization header of your API endpoint. Your API then has to verify that the access token is valid and has been issued by Kinde. You can find more details about this in the docs: https://kinde.com/docs/developer-tools/protect-your-api/#protect-your-api
Kinde Docs
Protect your API - Developer tools - Help center
Our developer tools provide everything you need to get started with Kinde.
rai_kinde
rai_kinde•13mo ago
Also, are you able to let us know what your stack looks like, and whether you are using any of the Kinde SDKs?
Vector
VectorOP•13mo ago
my backend stack is laravel + phpsdk, thats all basically I solved this problem by creating custom kinde_token cookie with httpOnly and samedomain none and now it works perfectly, and nobody can take this cookie cause its httpOnly, so I think it is pretty secure
Want results from more Discord servers?
Add your server