React & Node: Cookie has been rejected for invalid domain

Question

I have made a website using Node for server and Next for front-end. When I login, I make a request with these headers:

access-control-allow-credentials: true
access-control-allow-origin: https://loop.herbievine.com
server: nginx
set-cookie: lid=s%3AF4sw6csUWeU-nytZoR5w6nrkR_4gbpd2.zt5brbuuedQiyurZOB4Hn%2FSpRa8JqtrlYhY5AHxs9Yk; Domain=https://loop.herbievine.com; Path=/; Expires=Thu, 01 Apr 2021 15:11:56 GMT; HttpOnly; Secure; SameSite=Lax
strict-transport-security: max-age=15724800; includeSubdomains
vary: Origin
x-powered-by: Express

See I get a set-cookie header back. In the console, I see Cookie “lid” has been rejected for invalid domain.

On my server, I initialize the cookie with redis like so:

session({
    name: COOKIE_NAME,
    store: new Store({
        client: redis,
        disableTouch: true
    }),
    cookie: {
        httpOnly: true,
        secure: process.env.NODE_ENV === 'production',
        sameSite: 'lax',
        maxAge: 1000 * 60 * 60 * 24 * 7, // 1 week
        domain: process.env.CORS_ORIGIN // this being set to https://loop.herbievine.com
    },
    saveUninitialized: false,
    secret: process.env.SESSION_SECRET,
    resave: false
})

So why is this failing? Is there an additional setting to use?

Btw, I'm using Vercel + Cloudflare for all DNS settings, and server is running in a VPS + dokku on Digital Ocean

Answer 1

Issue seems to be you using url instead of a domain. You should use domain loop.herbievine.com instead of https://loop.herbievine.com.

If you would like to share cookies with other sub domains then you will use the domain as .herbievine.com