Cookie consent domain

[mikemonteith]

We do not explicitly set a domain for our consent cookie, this means the browser uses domain which it is being run on. (e.g www.nhs.uk).

We should add a setting to allow the cookie domain to be configured.
This would allow sites with subdomains to set their cookie setting to allow all subdomains to use the same cookie settings.

e.g: if the domain setting was set to ".example.com". The cookie settings could be shared across a.example.com, b.example.com etc.

[mikemonteith]

This feature is needed by at least two sites.

• NHS Login
• covid19.nhs.uk

[mikemonteith]

What should happen if a user has already accepted the cookie banner for example.com before the site owner changes the domain to .example.com?
This situation needs to be explored

[darrenhutton]

This could help when users are moving between NHS online services. Example of repeat prescriptions service:

• user starts on www.nhs.uk and agrees to cookies
• user clicks link to nhsapp.service.nhs.uk again has to agree to cookies
• user authenticates to login.nhs.uk again has to agree to cookies

Some cookies will be unique to each service, so this might be a technical constraint, but it isn't a good user experience.

[mikemonteith]

@darrenhutton Agreed this is an annoying UX.
Unfortunately, to mitigate the "supercookie" problem, browsers check against a list of top-level domains which browsers will not allow you to set cookies for, and nhs.uk is one of them.

This means we can't share cookies between www.nhs.uk, service.nhs.uk, login.nhs.uk etc.

Also, there are a very wide range of sites under the .nhs.uk domain, some of which we wouldn't want to give access to changing our cookie.