Set the session cookie domain to custom value

[NilsRenaud]

Describe the feature

I would like to be able to change the session cookie Domain attribute. As of today, the session cookie domain is set to the full hostname (one.example.org) of the application.

Use cases

With the current implementation it's impossible to share the session cookie across multiple sub domains ([one|two].example.com)

Contribution

I would be OK to implement this feature, but I'm wondering why it has not be done in the first place. Is this because of a security measure ?

[pmlopes]

Hi, indeed we don't have a configuration setting for the domain, I think this could be added, however, we should follow:

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#domain-and-path-attributes

Which states that by default we should not set the domain as it ensures that we are not permisive and sessions do not leak across sub domains.

The goal is to avoid situations like:

Imagine you have a secure application deployed at http://secure.example.com/ and the application sets a session cookie with domain ".example.com" when users log in.

Suppose you have another less secure application at http://insecure.example.com/ and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com that browses to http://insecure.example.com risks exposing their session cookie from http://secure.example.com.

[NilsRenaud]

Thanks for your (quick !) answer ! I'll see whether I have time to work on this feature !