Introduction
I have a problem with sending cross domain session cookie and after searching I got even more confused.
Originally I had a client (Next app) on foo.vercel.com and the api (Express) on bar.heroku.com.
Sending and saving cookies was working correctly on localhost, but after deployment I got a problem with the sameSite set to lex by default. So I changed it to none. But I found that the sameSite none requires secure flag on the cookie set, so I also changed that.
The problem
After setting secure to true the cookie is no longer being sent.
If secure is set, and you access your site over HTTP, the cookie will not be set.
Both my server and client are hosted on HTTPS. I checked the logs on the heroku and the request protocol is HTTPS... however when I console.log a request.protocol from a GraphQL resolver the protocol is HTTP:
After seeing this
There's no such thing as cross domain cookies. You could share a cookie between foo.example.com and bar.example.com but never between example.com and example2.com
I moved the client to baz.heroku.com but the problem remains.
In order to check if everything still works I disabled the Cookies without SameSite must be secure in chrome://flags and it works correctly.
Questions
- Is it even possible to set cookie cross domain?
- Why does the POST method have different protocol than request I get in express server. (I get the request from express and pass it through context to GraphQL resolvers)
- And of course how can I send cookie to the client on different domain.
I would appreciate any help.
