Reputation: 10329
Cookie does not persist across redirect in production
I'm building a web application that uses cookies to track the user session. These cookies work flawlessly in development on localhost but they aren't working correctly in production. I suspect this is because I have some cookie settings misconfigured but I'm not sure which.
One thing to note is that the webapp runs at app.goldsky.com and the api runs at api.goldsky.io (note the different TLDs).
The application I'm building uses a tool called WorkOS for user authentication.
The authentication flow is as follows:
- User visits website, enters their email and presses the login button
- Request is sent to backend (
api.goldsky.io) - Backend generates an authentication URL using the WorkOS SDK (of the form
api.workos/...) and sends this to the frontend - the frontend navigates to this WorkOS authentication URL and proceeds through the auth flow
- If successful, WorkOS redirects the user to my backend (
api.goldsky.io/auth/workos/callback) - My backend generates a session token, sets a secure, httpOnly, path=
/cookie with the session token (goldsky_session=...) and redirects the user back to the webapp (app.goldsky.com)
In localhost this all works flawlessly. However, in production I don't see the cookie persist after step 6 completes.
In production, the response to step 5 contains the cookie
however after the redirect back to the webapp, the cookie seems to disappear. Here's the request to app.goldsky.com (the redirect from step 6) and it doesn't have the cookie header.
and just for completeness, here's a screenshot of the cookies for app.goldsky.com - it's empty:
By comparison, the final redirect on localhost contains the cookie:
How come my cookie does not persist after redirecting from api.goldsky.io to app.goldsky.com? Do I need to set the Domain attribute for the cookie? If so, what should I set it to? Maybe this is a SameSite problem?
Upvotes: 0
Views: 840
Answers (1)
Reputation: 10329
Turns out I had an nginx misconfiguration issue which was rejecting requests to specific paths. Nginx was only allowing requests to /auth and a few others. My login logic was under /auth but the user query was at /user which nginx was rejecting.
Upvotes: 0
Related Questions
- Response header Set-Cookie doesn't store cookies in browser
- Sending browser cookies during a 302 redirect
- PHPSESSID cookie lost after redirect
- Cookies being deleted on redirect
- Losing cookies in headers when sending HTTP request to other domain
- Does the browser set the cookies when there's a redirection?
- Cookies not sent after a 302 redirect to a page on the same domain
- HTTP Redirect (302) Doesn't Use Cookie in Following GET Request
- Browser not keeping cookie from response header
- can I pass headers to redirected location after redirection?