Cookies are not sent to CDN subdomain?

Hello,

I’m running all assets on a CDN-enabled subdomain. However, I’ve found that some attachments are now returning 404. These attachments are located in a private section of the forum.

Using the browser’s dev tool I found that these attachments are now using the CDN subdomain, and cookies are not being sent, resulting in me not logged in, hence the 404. The /login or /session request (whichever set the cookie) does not have a Domain key in Set-cookie.

I found some posts before related to the problem, but nothing is clear:
https://meta.discourse.org/t/setting-the-session-token–t-on-the-entire-domain-not-just-my-subdomain/43254/5
https://meta.discourse.org/t/serving-static-assets-using-cookie-free-domain/113916

At this point I’m not sure whether this is a problem with my config or a bug. Or maybe intended behavior.

I’m aware of the option ‘prevent anons from downloading files’, but I would like it to remain checked.

Please help, and thanks for the awesome software.

An example, lest I have not explained it clearly:

The forum is on bbs.example.com, thus all session cookies are on that domain.
Assets are on bbs-cdn.example.com.
The private attachment have an address of bbs-cdn.example.com/uploads/xxxxxx.mp4.
When I tried to download it, no cookies are being sent because that is not the same domain. So no session, no log-in, 404.

1 Like

Hello, can anyone help?