SameSite cookie property
I've a frontend that I'll be hosting on a digital ocean droplet running linux and nginx. The backend will also (hopefully) be on the same droplet. I'm trying to implement session authentication, and was wondering if I'll run into problems with requests between the FE and BE because of the samesite cookie property?
I'm obviously new to this and will have to look at how to serve both from one server, but was hoping for some pointers/tips that might save me a lot of time, if anyone has a spare second?
Thanks!
5 Replies
If you host your authentication server on an entirely different domain to your frontend, you could run into problems, but subdomains will still work. In production this shouldn't be an issue, but if you're trying to access a production backend server on your development frontend-server running on localhost, this can cause problems. In any case, if you set
SameSite=None, you can mitigate this issue, but you will have to set the Secure attribute.
SameSite has caught me off guard many times too, but unless you have your frontend and backend on different domains there shouldn't be an issue
If you end up hosting your backend on a subdomain like api.yoursite.com, consider setting the Domain to your top domain (yoursite.com). This way it will be considered a first-party cookie for all your subdomains and will always be sent even when SameSite=Strict
Here are some references
SameSite attribute
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute
How first-party and third-party cookies are distinguished
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#third-party_cookies
Domain attribute
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-valueGreat, thanks Stefan, that sub-domain knowledge was exactly what I was hoping for.
Also, I've come across that same-site/secure attribute issue before (FF doesn't care, Chrome seems to). I'll read those links though because I'm currently pulling out my hair with
express-sessions, it has previously worked (like 20 minutes before it didn't XD), but now just seems to be failing silently.I don't suppose you have any tips on how to debug?
I posted a SO question here: https://stackoverflow.com/questions/75203102/how-to-debug-an-express-session-store with a bit more detail, but I'm stumped. It's probably a bloody typo knowing my luck XD
Stack Overflow
How to debug an express-session / store
My sessions have previously been working, now aren't, and I'm struggling on how to debug my problem. No sessions are appearing in my db (MySQL), and no cookies are being sent to the client (chrome/...
Not a nodejs express dev so I can't help you with that, but I know from experience with asp.net core and spring boot that auth frameworks are always tricky and keep shooting you in the foot all the time with years of security patches and deprecated functionality, so i wish you best of luck in finding a solution!
Thanks 🙂