0

Hello I am developing a web app, with a microservices architecture.

I am using golang (Fiber) on the backend and Next.js on the frontend.

When I send a request from restaurant.quiqr.co/signin to api.quiqr.co/auth/signin, I am sending a cookie along side the response from api.quiqr.co containing the jwt token. Everything works fine on Postman, i can see the cookie being stored and sent with any follow up request.

But when it comes to web browsers, my cookie is not being stored. What could be the issue?

I am using kubernetes with Ingress nginx, but as i mentioned before everything works on Postman.

I tried to modify the cookie domain to .quiqr.co or restaurant.quiqr.co, but this did not work, I even tried all of the SameSite attributes, but nothing worked.

The only solution that worked is when I put all of them under the same domain. For example: quiqr.co/api/auth/signin and quiqr.co/restaurant/signin, the returned cookie will have a .quiqr.co domain and everything would work fine.

I also realized that when I do so, the browser wont send a Preflight request, but if i separate them again to subdomains the browser would send a Preflight request and the returned cookie wont be stored.

So what could be the issue here? Thank you.

Both requests- Preflight and xhr

xhr request content

No cookies in my devtools

Louis
  • 11
  • 1
  • How have you checked that the cookie has not been stored (did you use [devtools](https://developer.chrome.com/docs/devtools/storage/cookies/)?). It will be easier to answer if we can see the relevant `set-cookie` header because there are a number of potential causes (e.g. [SameSite=None requires Secure](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#fixing_common_warnings)) - see [this answer](https://stackoverflow.com/a/4423097/11810946) for info on viewing headers. – Brits Jan 12 '22 at 20:20
  • @Brits Yes i did check the devtools to see if the cookie has been stored, (devtools -> Application -> Cookies ) and found nothing there. I will add pictures to my question showing the request. – Louis Jan 12 '22 at 21:45
  • @Brits i added the screenshots, if you can please check them. – Louis Jan 12 '22 at 22:23
  • 1
    You set a cookie for the `quiqr.co` domain, but then check it at `restaurant.quiqr.co`. If you want it to be set for all subdomains - do `.quiqr.co` (see the leading dot) – zerkms Jan 12 '22 at 22:30
  • @zerkms For information, in modern browsers, [the leading dot has no impact](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes). Rather, it's the explicit setting of the `Domain` attribute that causes browsers to send the cookie to that domain's subdomains. – jub0bs Jan 13 '22 at 06:26
  • 1
    @jub0bs oh wow, I hadn't used it since long time ago and didn't know that, thanks! – zerkms Jan 13 '22 at 07:22
  • @zerkms i did try that before but it did not work, thank you – Louis Jan 13 '22 at 09:00

1 Answers1

0

I had the same issue just looked into the docs and found out. We need to set CORS using cors middlewares

app.Use(cors.New(cors.Config{
    AllowOrigins:     "http://localhost:5173, http://localhost:5174",
    AllowHeaders:     "Origin, Content-Type, Accept",
    AllowCredentials: true,
}))

AllowCredentials: true is the main thing!

Hope it helped!

Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
Amaresh Sarma
  • 11
  • 1