This seems a common use case, but I have not been able to find a satisfactory answer. We have a public REST API, which we want 3rd parties to be able to write their own Progressive Web Applications and call the API. This means we have to disable CORS as the requests will not be coming from the domain that hosts the API. The API requires cookie authentication, so the session cookie must be sent with each request.
Unfortunately because of the way web browsers handle security, we can restrict cookies to the ‘SameDomain’ but this would be the REST API domain which is not what we want. A typical attack would be to have the 3rd party client login and get a session cookie, then the user navigates away to evil.com, which can now use the session cookie to access the REST API against the user of the 3rd party clients wishes.
It appears what we want is to restrict the session cookie to the domain of the 3rd party app which the user logs into. I cannot find a standard way to do this. Is there any standard way to do this?
One potential solution would be to encrypt the session key with the ‘origin’ or ‘referrer’ domain before sending it to the client. Then when a request is made of the API the session key in the cookie is decrypted with the ‘origin’ or ‘referrer’ domain, so the session key would be invalid if the domain making the request is different from the domain to which the authentication credentials were issued.
Is this secure? Is there a better way to do this?