Third party cookies must be enabled to set cookie on the browser

1

I am using authentication with cookies, and the application works locally. But on render, I did the following to make it work. But now, I have to enable third party cookies to make it working. I want to have the behavior so that I don’t have to enable third party cookies to have it working. My frontend and backend repos are separately connected to render.

I am sending cookies like so:

const cookieParams = { httpOnly: true, sameSite: "none", secure: true };
res
  .cookie(
    "access_token",
    token,
    cookieParams,
    {
      expires: new Date(Date.now() + 25892000000), // set expiry of 1m
    }
  )
  .status(200)
  .json({ ...filteredUser });

My cors options like so:

const corsOptions = {
  origin: `${process.env.FRONDEND_LINK}
  credentials: true, 
  optionSuccessStatus: 200,
  Headers: true,
  exposedHeaders: 'Set-Cookie'
  methods: ['GET', 'PUT', 'POST', 'DELETE', 'OPTIONS'],
  allowedHeaders: [
    'Access-Control-Allow-Origin',
    'Content-Type',
    'Authorization'
  ]
};
app.use(cors(corsOptions));

Let’s say I have 2 urls:
render=‘.onrender.com’
frontend link: frontend-url(render)
backend link: backend-url(render)
I have a rewrite as follows:
Source: “/api/", Destination: "backend-url.onrender.com/”, Action: “Rewrite”

On the cookies section of the browser, I can see that under my backend link, the access_token is set, and not under the frontend link.

I am guessing because the access_token cookie is set under the backend link, instead of the frontend link, this issue is occurring. How to solve the problem, since I know this is render causing it, as my code works locally?

2

Hey there,

So onrender.com is listed as a public suffix domain, you’ll probably have more luck if you use your own custom domains here,

Regards,

John B

3

Having the exact same issue. So the only option is to add a custom domain??

1 Like
4

I feel render should have its own support for something as common as this. I noticed that the auth cookies are sent under a different url, which belongs to my frontend, and the other cookies are properly set under the backend url. I tried enabling the sameSite option, but that doesn’t work as well.

If only I could set my auth cookies under the backend url, this would’ve worked.

5

Hi there,

Cookies etc are all client side/browser technology - this isn’t something we can/would fix. - onrender.com is a public suffix domain (https://publicsuffix.org/) as it’s a shared domain across all Render services - and is done so in order to protect customers from being able to read each other’s cookies. This is why using a custom domain is the best and most secure solution here in order to share cookies between services you own on the same domain,

Regards,

John B

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.