1

I have my backend deployed on heroku and my frontend deployed on vercel for ssr. Cookies were being set in dev on my local machine.

cors settings:

app.use(
    cors({
      origin: process.env.CORS_ORIGIN, //my deployed frontend https://kreddit.vercel.app
      credentials: true,
    })

Heroku uses a proxy so I have this too

app.set("trust proxy", 1);

session settings:

cookie: {
        maxAge: 1000 * 60 * 60 * 24 * 365 * 10, // 10 years
        httpOnly: true,
        secure: __prod__, // cookie only works in https
        sameSite: "none", // csrf
        domain: __prod__ ? ".kreddit.vercel.app" : undefined,
      },

my apollo client settings for frontend: credentials: "include"

my request and response:

request and response headers

cookies:

enter image description here

The cookie is received but not being set and the cookies storage remains empty. What's going wrong here? Thanks in advance

G-8
  • 107
  • 1
  • 7
  • 1
    You cannot set cookies for another domain, see [post](https://stackoverflow.com/a/6761443/10577550). – nflaig Feb 12 '22 at 11:18
  • @nflaig That is my frontend domain – G-8 Feb 12 '22 at 11:32
  • it does not really matter who owns the domain if the backend is running on a different domain than the frontend you cannot set cookies – nflaig Feb 13 '22 at 12:06
  • @nflaig what should i do in this case then? – G-8 Feb 13 '22 at 15:47
  • 2
    In the post I linked are some workarounds but I have not used those myself. A proper solution would be to run both on the same domain e.g. frontend on `example.com` and backend on `api.example.com`. This allows to set cookies with a wildcard such as `.example.com` – nflaig Feb 14 '22 at 14:22

0 Answers0