4

I have a working sign up and sign in end point when using desktop browsers (only Chrome), but when trying to sign up or sign in using a mobile browser, the server times out. I suspect this is because my session cookies and csurf cookies are not being sent over with my fetch request.

I have opened Safari development on my mobile browser, and it does not show any cookies. I suspect now that this is because of MaxAge --

Note that my api and client are on separate domains, Heroku and Netlify. See the code below:

CORS Options

const options = {

  origin: "clientUrl",
  methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
  allowedHeaders: [
    "Content-Type",
    "Access-Control-Allow-Headers",
    "Access-Control-Allow-Origin",
    "Authorization",
    "csrf-token"
  ],
  exposedHeaders: [
    "Content-Type",
    "Access-Control-Allow-Headers",
    "Access-Control-Allow-Origin",
    "Authorization",
    "csrf-token"
  ],

  maxAge: 3600,
  preflightContinue: true,
  credentials: true
};

CSURF Config 

app.use(
  csurf({
    cookie: true,
    domain: "clientUrl",
    sameSite: "none"
  })
);

Express Session Config

app.use(
  session({
    //This is our Encryption Key
    secret: process.env.sessionCode,
    //We set resave to false because our mongo store implements the "touch" function
    resave: false,
    //We Set saveUninitialized to false because we don't want to save unmodified
    //sessions to our mongo store
    secure: true,
    domain: "clientUrl",
    saveUninitialized: false,
    unset: "destroy",
    sameSite: "none",
    store: new MongoStore({
      mongooseConnection: mongoose.connection,
      //We encrypt out store code
      code: process.env.storeCode
    })
  })
);
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
WriterState
  • 359
  • 3
  • 18
  • Have you checked the cookie Preferences of the mobile browser ? If it was disabled somehow then you code might be failed. – Pengson Dec 18 '19 at 02:31
  • Yeah - it allows them. :( – WriterState Dec 18 '19 at 02:45
  • Can you confirm that the save fetch request on the same page does carrier any cookie and send to service successfully? – Pengson Dec 18 '19 at 02:48
  • On desktop it has to, or else the sign in auth wouldn’t work. – WriterState Dec 18 '19 at 03:23
  • I thought maybe this was an issue with third party cookies not being allowed in mobile. – WriterState Dec 18 '19 at 03:24
  • Hopefully, https://subinsb.com/set-same-cookie-on-different-domains/ would help. – Pengson Dec 18 '19 at 03:37
  • @sideshowbarker - do you have any insight into this? It's working fine in Chrome and Firefox. Just not Safari. – WriterState Dec 21 '19 at 23:42
  • Sorry, no, I don’t have any insight beyond just the fact it’s not related to CORS (which is why I removed the [cors] tag). If there were any CORS problem, the browser would be logging a specific CORS error in the devtools console. So I think you can at least rule out there being any problems in your CORS config. – sideshowbarker Dec 21 '19 at 23:46
  • I'm not sure I agree - it works on localhost. Something in safari is not allowing CORs – WriterState Dec 22 '19 at 00:21
  • What's your chrome version? – vidu.sh Dec 26 '19 at 19:53
  • Safari does not allow cross-domain cookies. Maybe this will help: https://stackoverflow.com/questions/408582/setting-cross-domain-cookies-in-safari – basdanny Dec 27 '19 at 16:46
  • There appears to be no way around the issue, Safari needs the setting to be changed manually. Having a cross domain api is an awful idea for session management. – WriterState Dec 27 '19 at 20:25
  • I just launched my web app and ran into the same problem. Chrome on iOS seems to have jumped on the same bandwagon. No cross domain cookies, meaning iphones cant log in to my site :/. What did you end up doing? – Chano Jun 11 '21 at 06:14
  • 1
    @Chano I never found a solution. I wound up simply hosting the front end on the same domain as the backend. – WriterState Jul 01 '21 at 01:35

1 Answers1

5

After a battle I've figured this out with the help of this post Setting a domain with Express sessions stops cookie from being saved.

The issue comes down to third party cookies.

If you're sending data from server.herokuapp.com to site.herokuapp.com you're going to have this issue. The solution is to use the same custom domain for both your frontend and backend Heroku applications.

You should add a custom domain to your frontend and a subdomain to your backend Heroku application. Frontend should look like mywebsite.com and backend should look like server.mywebsite.com.

Within your DNS the subdomain should be server in this example and point to the Heroku DNS target for the backend. The frontend subdomain should be @ or www and point to the Heroku DNS target for the frontend.

Once your applications are being served from the same URL and you have cors set up you will no longer have any third party cookie issues.

You can read more about this here

AndrewLeonardi
  • 3,351
  • 9
  • 47
  • 100
  • I've tried everything I can, nothing seems to work for me. Pls is there any other solution you think might solve this? I have applied this answer but it didnot solve my problem – Paulliano Oct 18 '22 at 15:00
  • Are you using Heroku for both your frontend and backend? – AndrewLeonardi Oct 19 '22 at 18:03