Oh I totally understand needing to be able to share the token across subdomains. It helps with deployment flexibility.
One note of caution though. I realized later that what I described at the end (putting the JWT in a cookie) opens itself up to XSRF attacks unless other precautions are taken. Common ones are anti-forgery tokens (which requires keeping some session state) or using CORS with appropriate Origin restrictions.
Oh I totally understand needing to be able to share the token across subdomains. It helps with deployment flexibility.
One note of caution though. I realized later that what I described at the end (putting the JWT in a cookie) opens itself up to XSRF attacks unless other precautions are taken. Common ones are anti-forgery tokens (which requires keeping some session state) or using CORS with appropriate Origin restrictions.
Yeah we do that already and actually upgrading platform to stop relying on the client generated cookies and switching to http only