Reputation: 11
reCAPTCHA cookie is not being passed for subdomains, only the domain where the reCAPTCHA is being set
Domains are fictional :)
I have a website hosted at: app.sunsetland.com.au
In that website, on one page I <embed> another website which is hosted at subdomain.sunsetland.com.au
Our GCP Cloud Armor is set to redirect to reCAPTCHA on some endpoints (note: this is not a visible reCAPTCHA challenge). We configure that reCAPTCHA on GCP reCAPTCHA Enterprise.
When I load the login screen at app.sunsetland.com.au, I see that a recaptcha cookie is set with:
name=recaptcha-ca-e
domain=app.sunsetland.com.au
SameSite=strict
When my browser makes cross-site/CORS calls from subdomain.sunsetland.com.au to my backend (hosted at app.sunsetland.com.au/service) the recaptcha cookie is not sent and my calls fail against the reCAPTCHA redirect. I'm expecting to pass since I already have the recaptcha-ca-e cookie from the login screen. The impact? I can't load my webpage that requires CORS on production/live except with a workaround which isn't very nice.
In reCAPTCHA Enterprise the domain list contains top-level domain sunsetland.com.au so I believe it should apply to all subdomains - don't know why it doesn't work for subdomain subdomain.sunsetland.com.au.
Also trying to understand why on the recaptcha cookie SameSite is being set to Strict and not default Lax (the setting a browser would use if SameSite is not set) and why the domain value is not being set on the top-level domain sunsetland.com.au (since we configured reCAPTCHA Enterprise domain on sunsetland.com.au)
Upvotes: 1
Views: 196
Answers (1)
Reputation: 11
Well, well - it seems that the likely answer here is that this all happens by design and there was no bug anywhere except in my understanding!
The reCAPTCHA Enterprise key will apply on explicitly configured domain sunsetland.com.au and all subdomains of sunsetland.com.au. However, there is no promise in the documentation that the implementation of reCAPTCHA Enterprise is with a cookie set with domain as the top-level one (as specified in our key). In fact, it appears that the implementation is that recaptcha-ca-e cookie is set with SameSite=Strict and the domain being wherever the cookie is created. In the case of our login screen the cookie is created at https://app.sunsetland.com.au/service and so the cookie will be specifically set with domain=app.sunsetland.com.au. It seems reCAPTCHA Enterprise implementation intentionally sets the cookie on the exact subdomain where it is created (it technically could set on a higher order domain but implementation chooses to be more specific), so if we were to host another subdomain aside from app., we actually would likely encounter the reCAPTCHA challenge again if we try to access that subdomain (again: the reCAPTCHA key applies across the top-level domain, but the cookie implementation is more specific).
Upvotes: 0
Related Questions
- this set-cookie was blocked because it has the samesite=lax
- Mark cross-site cookies as Secure to allow setting them in cross-site contexts
- Set cookies for cross origin requests
- Configure a cookie to work with CORS, but only on subdomains
- Lax vs Strict for Set-Cookie HTTP header and CSRF
- How to set a cookie for another domain