Reputation: 2025
I have made a website using Node for server and Next for front-end. When I login, I make a request with these headers:
access-control-allow-credentials: true
access-control-allow-origin: https://loop.herbievine.com
server: nginx
set-cookie: lid=s%3AF4sw6csUWeU-nytZoR5w6nrkR_4gbpd2.zt5brbuuedQiyurZOB4Hn%2FSpRa8JqtrlYhY5AHxs9Yk; Domain=https://loop.herbievine.com; Path=/; Expires=Thu, 01 Apr 2021 15:11:56 GMT; HttpOnly; Secure; SameSite=Lax
strict-transport-security: max-age=15724800; includeSubdomains
vary: Origin
x-powered-by: Express
See I get a set-cookie
header back. In the console, I see Cookie “lid” has been rejected for invalid domain.
On my server, I initialize the cookie with redis like so:
session({
name: COOKIE_NAME,
store: new Store({
client: redis,
disableTouch: true
}),
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
maxAge: 1000 * 60 * 60 * 24 * 7, // 1 week
domain: process.env.CORS_ORIGIN // this being set to https://loop.herbievine.com
},
saveUninitialized: false,
secret: process.env.SESSION_SECRET,
resave: false
})
So why is this failing? Is there an additional setting to use?
Btw, I'm using Vercel + Cloudflare for all DNS settings, and server is running in a VPS + dokku on Digital Ocean
Upvotes: 2
Views: 14621
Reputation: 146630
Issue seems to be you using url instead of a domain. You should use domain loop.herbievine.com
instead of https://loop.herbievine.com
.
If you would like to share cookies with other sub domains then you will use the domain as .herbievine.com
Upvotes: 4