Cross-Site Tracking

I have an express backend and a react frontend both deployed separately - express as web service and react as static. In my server setup, I have CORS configured for sameSite: none and secure: true. Whenever a login/register happens, the user issued an httpOnly cookie that is set on the frontend. Then, as part of a refreshtoken cycle, the user is validated using the cookie. This helps also with keeping a persistent login.

All of this works great when on desktop, however, when on mobile it doesn’t work at all. After much tinkering, I found that for Chrome mobile, turning on “Allow Cross-website Tracking” fixes the issue, but I can’t expect my users to know to do that. Is there some attribute I’m missing that would help with this issue? Is it because I deployed my server and client separately (I’ve read that this is recommended due to management of the two). Any help would be appreciated.

For anyone else working with this, the issue is created by the fact that onrender.com is registered on the Public Suffix List meaning any subdomains of this domain is automatically seen as cross-site. The fix for this is to register a custom domain name and create a subdomain for the server. This fixed my issue.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.