Third party cookies must be enabled to set cookie on the browser

I am using authentication with cookies, and the application works locally. But on render, I did the following to make it work. But now, I have to enable third party cookies to make it working. I want to have the behavior so that I don’t have to enable third party cookies to have it working. My frontend and backend repos are separately connected to render.

I am sending cookies like so:

const cookieParams = { httpOnly: true, sameSite: "none", secure: true };
      expires: new Date( + 25892000000), // set expiry of 1m
  .json({ ...filteredUser });

My cors options like so:

const corsOptions = {
  origin: `${process.env.FRONDEND_LINK}
  credentials: true, 
  optionSuccessStatus: 200,
  Headers: true,
  exposedHeaders: 'Set-Cookie'
  methods: ['GET', 'PUT', 'POST', 'DELETE', 'OPTIONS'],
  allowedHeaders: [

Let’s say I have 2 urls:
frontend link: frontend-url(render)
backend link: backend-url(render)
I have a rewrite as follows:
Source: “/api/", Destination: "”, Action: “Rewrite”

On the cookies section of the browser, I can see that under my backend link, the access_token is set, and not under the frontend link.

I am guessing because the access_token cookie is set under the backend link, instead of the frontend link, this issue is occurring. How to solve the problem, since I know this is render causing it, as my code works locally?

Hey there,

So is listed as a public suffix domain, you’ll probably have more luck if you use your own custom domains here,


John B

Having the exact same issue. So the only option is to add a custom domain??

1 Like

I feel render should have its own support for something as common as this. I noticed that the auth cookies are sent under a different url, which belongs to my frontend, and the other cookies are properly set under the backend url. I tried enabling the sameSite option, but that doesn’t work as well.

If only I could set my auth cookies under the backend url, this would’ve worked.

Hi there,

Cookies etc are all client side/browser technology - this isn’t something we can/would fix. - is a public suffix domain ( as it’s a shared domain across all Render services - and is done so in order to protect customers from being able to read each other’s cookies. This is why using a custom domain is the best and most secure solution here in order to share cookies between services you own on the same domain,


John B

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.