SameSite cookie property

I've a frontend that I'll be hosting on a digital ocean droplet running linux and nginx. The backend will also (hopefully) be on the same droplet. I'm trying to implement session authentication, and was wondering if I'll run into problems with requests between the FE and BE because of the samesite cookie property?

I'm obviously new to this and will have to look at how to serve both from one server, but was hoping for some pointers/tips that might save me a lot of time, if anyone has a spare second?

Thanks!

StefanH•1/18/23, 6:56 PM

If you host your authentication server on an entirely different domain to your frontend, you could run into problems, but subdomains will still work. In production this shouldn't be an issue, but if you're trying to access a production backend server on your development frontend-server running on localhost, this can cause problems. In any case, if you set , you can mitigate this issue, but you will have to set the attribute.

SameSite has caught me off guard many times too, but unless you have your frontend and backend on different domains there shouldn't be an issue

StefanH•1/18/23, 7:00 PM

If you end up hosting your backend on a subdomain like , consider setting the to your top domain (). This way it will be considered a first-party cookie for all your subdomains and will always be sent even when

StefanH•1/18/23, 7:00 PM

Here are some references

SameSite attribute
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute

How first-party and third-party cookies are distinguished
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#third-party_cookies

Domain attribute
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value

JWodeOP•1/22/23, 3:45 PM

Great, thanks Stefan, that sub-domain knowledge was exactly what I was hoping for.

Also, I've come across that same-site/secure attribute issue before (FF doesn't care, Chrome seems to). I'll read those links though because I'm currently pulling out my hair with , it has previously worked (like 20 minutes before it didn't XD), but now just seems to be failing silently.

JWodeOP•1/22/23, 7:05 PM

I don't suppose you have any tips on how to debug?

I posted a SO question here: https://stackoverflow.com/questions/75203102/how-to-debug-an-express-session-store with a bit more detail, but I'm stumped. It's probably a bloody typo knowing my luck XD

Stack Overflow

How to debug an express-session / store

My sessions have previously been working, now aren't, and I'm struggling on how to debug my problem. No sessions are appearing in my db (MySQL), and no cookies are being sent to the client (chrome/...

StefanH•1/22/23, 10:02 PM

Not a nodejs express dev so I can't help you with that, but I know from experience with asp.net core and spring boot that auth frameworks are always tricky and keep shooting you in the foot all the time with years of security patches and deprecated functionality, so i wish you best of luck in finding a solution!

JWodeOP•1/23/23, 9:23 AM

Thanks