Cookie Problem
Hello,
I have a problem with a created cookie, because I need a cookie that has path '/', is httpOnly, is secure and SameSite None, is this possible to customize default kinde_token to have these parameters?
12 Replies
@Admin bump
Thanks for the question @Vector I am going to check this with a team member more experienced with PHP. Shouldn't be too long before I can give you an update.
Okay 🙂
Hey @Vector We cannot change the Kinde cookie attributes. That would affect every user on Kinde, and we don't have customizations for cookies. We don't see a compelling case for it.
Can you confirm why are needing to make those changes to the cookie?
I got a bit different app autehntication, cause my api will be called from different domens, I dont want to push user to login in every front-end domain, instead I want to just save token on my api domain, and access it everytime I send request to it
Are they different sub domains? Eg. drive.google.com
yeah, dashboard is on dashboard.domain.com, api is on api.domain.com, frontpage it on domain.com etc
Hi @Vector , can you please clarify my understanding of your setup:
- You have API endpoints accessible via https://api.domain.com/...
- You have 1 frontend accessible via https://dashboard.domain.com
- You have 1 frontend accessible via https://frontend.domain.com
If you enduser goes to https://dashboard.domain.com , logins, then navigates to https://frontend.domain.com , you want them to stay logged in?
With the API endpoint, is that meant only be accessed from those 2 frontends only? And you want to protect the endpoint by ensuring only a logged in user can access it?
Exactly
Hi @Vector , I'm following up with the rest of the team regarding the part about staying logged in across subdomains.
With protecting your API endpoint. once an enduser logs in, you can use the access token received from Kinde, and pass that in the Authorization header of your API endpoint. Your API then has to verify that the access token is valid and has been issued by Kinde. You can find more details about this in the docs: https://kinde.com/docs/developer-tools/protect-your-api/#protect-your-api
Kinde Docs
Protect your API - Developer tools - Help center
Our developer tools provide everything you need to get started with Kinde.
Also, are you able to let us know what your stack looks like, and whether you are using any of the Kinde SDKs?
my backend stack is laravel + phpsdk, thats all
basically I solved this problem by creating custom kinde_token cookie with httpOnly and samedomain none and now it works perfectly, and nobody can take this cookie cause its httpOnly, so I think it is pretty secure