I have a frontend running on AWS and a backend on Heroku. As such, users access a login page on AWS, make a request to login via the API on Heroku, and should get a cookie back with a session id. I have read all about CORS and even CORS + cookies, but still cannot successfully set a cookie through CORS (or at least I certainly cannot verify if I did via Chrome dev tools, and my Heroku app sure doesn't read any request header cookies). I am using fastify + fastify-cors + fastify-cookie
When running in dev environment, my frontend is https://localhost:3000 while the back is https://localhost:80
When I login, I should get back a cookie from the API @ localhost:80. This is the response headers (ignore content length, I trimmed the session id for this question)
HTTP/1.1 200 OK
vary: Origin
access-control-allow-origin: https://localhost:3000
access-control-allow-credentials: true
set-cookie: session_id=66f9c629644b890fefaa9b4c58a10666; Max-Age=31536000; HttpOnly; Secure; SameSite=None
content-type: application/json; charset=utf-8
content-length: 587
Date: Tue, 02 Feb 2021 05:18:38 GMT
Connection: keep-alive
Keep-Alive: timeout=5
I followed this guide https://cors-errors.info/faq#cdc8
When I refresh the page, I should attempt to login via cookies. But my API at localhost:80 receives no cookies at all. This is what a login request via cookies looks like. Not sure if I should see some cookies being sent, but if I should, I presume they were never saved to the browser anyways.
POST /users/login/session HTTP/1.1
Host: localhost:80
Connection: keep-alive
Content-Length: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Accept: */*
Origin: https://localhost:3000
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Not sure what else to do at this point...
