Trying to use CORS and XSRF on different domains

advertisements

I have a frontend and a backend app. They are in different domains (subdomain). The frontend app does a first request (GET) to get some server-side information, basically session_id and XSRF-TOKEN cookies.

The situation is:

myapp.com cookies: _session_id api.myapp.com cookies: XSRF-TOKEN

So, my frontend app gets the _session_id cookie but it doesn't get the XSRF-TOKEN. When I try to get the XSRF-TOKEN to put it on the header like X-XSRF-TOKEN it isn't possible because they're different domains.

Any good soul to help me? Thanks in advance.


You'll want to consider the following: Share session (cookies) between subdomains in Rails?

#config/initializers/session_store.rb
YourApp::Application.config.session_store :cookie_store, key: '_yourapp_session', domain: :all, tld_length: 2