I have an express backend and a react frontend both deployed separately - express as web service and react as static. In my server setup, I have CORS configured for sameSite: none and secure: true. Whenever a login/register happens, the user issued an httpOnly cookie that is set on the frontend. Then, as part of a refreshtoken cycle, the user is validated using the cookie. This helps also with keeping a persistent login.
All of this works great when on desktop, however, when on mobile it doesn’t work at all. After much tinkering, I found that for Chrome mobile, turning on “Allow Cross-website Tracking” fixes the issue, but I can’t expect my users to know to do that. Is there some attribute I’m missing that would help with this issue? Is it because I deployed my server and client separately (I’ve read that this is recommended due to management of the two). Any help would be appreciated.