My applications consists of 2 parts:

• The web API, written in .NET Core
• The web app, written in React and rendered using a nodejs express server

I am hosting these parts on azure, each on it's own sub domain so we have:

• api.azurewebsites.net
• app.azurewebsites.net

When the user logs in I set a cookie, to my understanding a cookie can be used accross sub domains. The cookie is set the following way:

Response.Cookies.Append("token", "token value", new CookieOptions
{
    Expires = DateTimeOffset.Now.AddDays(7),
    SameSite = SameSiteMode.None,
    Domain = "azurewebsites.net"
});

But the cookie is not sent along with requests to either sub domain. How can this be?

If this is the wrong approach how do I authenticate with a SSR app and a rest api? When the app gets rendered in node it fetches data the exact same way as in the browser using isomorphic-fetch, the cookie is passed along with it.

All this works flawlessly on localhost, the problem starts when the app in on a different sub domain from the api.

UPDATE:

The cookie header looks like this:

Set-Cookie: token=<token>; expires=Sat, 22 Jun 2019 05:35:18 GMT; domain=azurewebsites.net; path=/; secure

On firefox it works different from chrome. On chrome i do the authentication api request, get the token get the cookie header and then the cookie does not get sent along any subsequent requests.

In firefox the cookie does get sent with subsequent requests, however upon refreshing the page the cookie is gone.