I have a tipical web app setup where a front end SPA app (Blazor WASM) is communicating with a backend (.NET API). I control both environments and they are hosted at following locations:
SPA: https://www.client-portal.company.com
API: https://www.api.client-portal.company.com
I use cookie authentication to authenticate users via the invite/confirmation code process. The problem is that I want to make a long lasting authentication cookie but Safari (and ONLY Safari) keeps setting the cookie to expire in 7 days.
Now I am aware of the Webkit's tracking prevention policies defined here: https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp
However I'm either unable, or not smart enough to understand the first vs. second vs. third party logic defined there. In my head, the setup I have is the first party setup and I would imagine that many companies have a similar hosting setup/naming. I cannot place the API under the same URL as the front end app unless I do some reverse proxy YARP setup which seems like an overkill just to satisfy the policy of one browser.
Am I missing something obvious here? Can you please tell me how/where/what URL should I host my SPA/API in order for the cookie to persist beyond 7 days?
For the reference the cookie being created has the following properties:
DOMAIN: client-portal.company.com
HOSTONLY: true
SECURE: true
HTTPONLY: true
SAMESITE: Strict
PATH: /
Any help would be greatly appreciated. Thanks!