0

I'm having issues understanding why my (session) cookie won't be set client-side. The error appearing on the devtools is the following:

This attempt to set a cookie via Set-Cookie header was blocked because its Domain attribute was invalid with regards to the current host url.

enter image description here

I did a bit of researching, turns out it's a domain issue since both frontend (Firebase) and backend (Cloud run) are on different domain names.

What disturbs me, is that this issue doesn't arrive when my frontend is running on localhost (even though the backend still is remote, on cloud run).

Here's the way I configured my session:

  app.set('trust proxy', 1);
  app.use(json());
  app.use(
    session({
      name: '__session',
      store: new RedisStore({ client: redisClient }),
      secret: options.sessionSecret,
      resave: false,
      saveUninitialized: false,
      cookie: {
        secure: process.env.NODE_ENV === 'PROD' ? true : 'auto',
        httpOnly: true,
        maxAge: 1000 * 60 * 60 * 24 * 7,
        sameSite: process.env.NODE_ENV === 'PROD' ? 'none' : 'lax',
        domain: '<FRONTEND_URL>',
      },
    })
  );

I feel like the domain property is incorrect, yet I provided the frontend domain, the backend domain and the backend's root domain (run.app)

Am I missing something here? Or maybe misunderstanding something?

EDIT: enter image description here As you can see, Secure; SameSite=None is provided in the cookie.

Fares
  • 893
  • 1
  • 11
  • 24
  • Try `SameSite=None; Secure`. Cookies with SameSite=None must now also specify the Secure attribute (in other words, they require a secure context). – John Hanley Nov 13 '22 at 00:24
  • My bad. I added a wider screen shot to the post. Secure is already enabled as well as HttpOnly. – Fares Nov 13 '22 at 00:29
  • Have a look at this stackoverflow [link1](https://stackoverflow.com/questions/60953427/cors-this-set-cookie-domain-attribute-was-invalid-with-regards-to-the-current),[link2](https://stackoverflow.com/questions/62749492/set-cookie-was-blocked-because-its-domain-attribute-was-invalid-with-regards-to) & [link3](https://stackoverflow.com/questions/64367444/this-set-cookie-was-blocked-because-its-domain-attribute-was-invalid-with-regard) – Sathi Aiswarya Nov 14 '22 at 09:07

1 Answers1

1

run.app and a.run.app cannot be used as they are included in the Mozilla Foundation’s Public Suffix List. There is a great article about this issue on Heroku documentation.

To fix this issue, you can:

  1. Set custom domains on your apps. Something like client.example.com and api.example.com.
  2. Deploy both client and API in one Cloud Run instance.
  3. Use a different authentication strategy such as token authentication. Client exchanges credentials against a token and stores it in browser local storage. Client then sends token on every request.

Hope it helps!

Jimmy Oliger
  • 41
  • 3