BA
Better Auth2w ago
tigawana

cross-site cookie in express

I see past issues with cross domain cookies am not sure if a resolution was reached i've resorterd to disabing secure cookies to work around this 
  advanced: {
    useSecureCookies: false,
  },
  advanced: {
    useSecureCookies: false,
  },
I remember when i faced the same in anoter epress app and ended up handling it like this 
const refreshCookieOptions: CookieOptions = {
  httpOnly: true,
  secure: true,
  sameSite: "none",
  path: "/",
  expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // expires in 7 days
  maxAge: 7 * 24 * 60 * 60, // expires in 7 days
} as const;

const accessTokencookieOptions: CookieOptions = {
  httpOnly: true,
  secure: true,
  sameSite: "none",
  path: "/",
  expires: new Date(Date.now() + 12 * 60 * 1000), // expires in 12 minutes
  maxAge: 12 * 60, // expires in 12 minutes
} as const;
const refreshCookieOptions: CookieOptions = {
  httpOnly: true,
  secure: true,
  sameSite: "none",
  path: "/",
  expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // expires in 7 days
  maxAge: 7 * 24 * 60 * 60, // expires in 7 days
} as const;

const accessTokencookieOptions: CookieOptions = {
  httpOnly: true,
  secure: true,
  sameSite: "none",
  path: "/",
  expires: new Date(Date.now() + 12 * 60 * 1000), // expires in 12 minutes
  maxAge: 12 * 60, // expires in 12 minutes
} as const;
1 Reply
tigawana
tigawanaOP7d ago
And from the looks of things even setting it to false gets overwritten somehow funally figured it out 
  advanced: {
    crossSubDomainCookies: {
      enabled: true,
      // domain: process.env.COOKIE_DOMAIN || undefined,
    },
    cookie: {
      sameSite: "none",
      secure: true,
      // domain: process.env.COOKIE_DOMAIN || undefined,
      path: "/",
    },
    defaultCookieAttributes: {
      secure: true,
      // httpOnly: true,
      sameSite: "none", // Allows CORS-based cookie sharing across subdomains
      // partitioned: true, // New browser standards will mandate this for foreign cookies
    },
  },
  advanced: {
    crossSubDomainCookies: {
      enabled: true,
      // domain: process.env.COOKIE_DOMAIN || undefined,
    },
    cookie: {
      sameSite: "none",
      secure: true,
      // domain: process.env.COOKIE_DOMAIN || undefined,
      path: "/",
    },
    defaultCookieAttributes: {
      secure: true,
      // httpOnly: true,
      sameSite: "none", // Allows CORS-based cookie sharing across subdomains
      // partitioned: true, // New browser standards will mandate this for foreign cookies
    },
  },
ignore the domain attribute and it'll work for cross domains (it might expose you to CSRF though am not sure)

Did you find this page helpful?