I want to set a top-level domain cookie (i.e. domain:”.example.com”) from sub.example.com.
I know I have to set the “domain” attribute like so:
const app = express();
app.get("/set", (req, res) => {
res.cookie("name", "express", { domain: '.example.com', path:'/', httpOnly:true, secure:true, sameSite:'lax' }).send("cookie sety");
});
But when I access the page from sub.example.com (Browser, Postman, …) it always says “domain: .sub.example.com”.
The website is running on Windows-Server, IIS 10, Node 20.
IIS is configured for bindings: sub.example.com, example.com (both 80 and 443).
Rewrite-Configuration:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:3528/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
I have no idea, at what point the domain get’s “rewritten”. I checked the web, stack-exchange and copilot. Couldn’t find any clue.