I am currently working on my API, which is responsible for authentication, and all the API endpoints that are used in my SPA. The API runs on api.domain.com , and the SPA runs on www.domain.com . All in one SSL certificate (wildcard type).
Unfortunately, when I return the Set-cookie in the header from api.domain.com , it is not saved, but I see it in the Chromes debugger.
My session is as follows:
'Set-cookie':'__Secure-ID=38afes7a8-38afes7a8-38afes7a8-38afes7a8; Expires=Mon, 11-Sep-2017 23:03:13 GMT; Secure; HttpOnly; Domain=.domain.com'
There is no problem retrieving it and viewing it in the browser, but it will not remain and does not obey Expire, it just disappears when I go to other endpoints api.domain.com or even www.domain.com .
What is the problem?
source share