New lesson: Third-party Cookies

[mao-sz]

Lesson: Third-party Cookies

Lesson overview

Lesson about third-party (cross-site) cookies, restrictions, and how to utilise them for auth with cross-site deployments.

Lesson outline

The following items define the scope of the lesson. The lesson outline is flexible; you can improve, expand, and omit items whilst writing lesson content (make sure the pull request description mentions that).

• Discussion of third-party cookie restrictions/phase out and how that relates to cross-site deployments.
  • May involve discussion of how different browsers restrict such cookies.
• Discussion of relevant approaches to allow for the use of cookies for authentication for cross-site deployments.
  • Focus on sessions as the curriculum recommendation going forward, but can mention JWTs as well since the principle is the same.
  • Discuss how same-site cookies can be used if both ends are on the same domain.
  • Instruct how to use rewrite rules in hosts like Netlify or Vercel as reverse proxies, so the main client ends up making same-origin requests and has same-site cookies set.

Acceptance criteria

If the requirements here are not met, the work effort is not complete.

• Lesson conforms to the outline above (unless outline has been modified).
• Lesson follows our Layout Style Guide.

Additional information

This is part of the ongoing Node revamp and so is open to the revamp team.

Get the lesson template

Download the lesson template using the following command (replace lesson_name with the actual lesson name):

curl -o <lesson_name>.md https://raw.githubusercontent.com/TheOdinProject/curriculum/main/templates/lesson-template.md 

[github-actions]

This issue is stale because it has had no activity for the last 30 days.

[Zadag]

I would take a shot at this but I'm unsure of the intent. I think the lesson overview "Lesson about third-party (cross-site) cookies, restrictions, and how to utilise them for auth with cross-site deployments" might be somewhat flawed. As 3rd party cookies continue to be phased out I don't think there's a good way to share cookies across domains for auth purposes; that workflow is entirely reliant on 3rd party cookie support. At the same time, I think it's difficult to get into the weeds of 3rd party cookie replacements like CHIPS without getting into Oauth or self hosted analytics which seems outside the scope of the node module.

If I were to write this I would likely spend the first half giving a brief history of third party cookies (their intent, the tracking nightmare) but I wouldn't go into any solutions, I would just advise learners not to use cookies for cross domains purposes period unless you really know what you're doing. The latter half would ideally show an example of a session based strategy in express whereby tokens are sent as an Auth header and a session is created on the backend but I believe that would conflict with the existing session lesson that utilizes cookies

[mao-sz]

Replying in the revamp Discord discussion as requested.

EDIT: lesson outline edited to clarify intent and better reflect the discussion points from Discord

[github-actions]

This issue is stale because it has had no activity for the last 30 days.

[mao-sz]

Closing as per https://discord.com/channels/505093832157691914/1181210153358471168/1390089775846785175

Will be reducing the scope of this content and combining it with #29814