top | item 34397462

(no title)

is there an implicit assumption that we're operating on the same domain here for the frontend and backend

I'm not sure that it's so easily handled if you're working from www.foo.com and api.foo.com

discuss

The main assumption is just that you have a single API domain. The fact that the frontend and API may be on different domains doesn't impact this recommendation.

If the API tries to set an HTTPS-only session cookie on api.example.com, the client/browser will simply forward cookie that on every request (including requests made on behalf of a user like a frontend calling fetch()). You can try this yourself, or see it happening in the Github example linked in the post.

If you had backend APIs supported by different domains (api1.example.com and api2.example.com), things do get more troublesome. You could still configure the cookie domain for .example.com, but then you're sending the session cookie along with any request to any example.com subdomain.