1

So I have a backend golang gin api hosted at domainA.com , I also have a frontend Next.js web app hosted at domainB.com . So I have a login page were users will login, the fetch call goes to domainA and if they login correctly a set cookie JWT is sent back to the client so the cookie can be stored on the browser. I have set credentials to be true on both back and front end. The front end fetch looks like this

const resp = await fetch(
        domainA + loginendPoint,
        {
          method: 'POST',
          body: requestBody,
          credentials: "include",
        }
      );

The backend cors set up looks like this

r := gin.Default()
    config := cors.DefaultConfig()
    config.AllowAllOrigins = false
    config.AllowOrigins = append(config.AllowOrigins, "http://localhost:3000")
    config.AllowOrigins = append(config.AllowOrigins, "https://domainB.com")
    config.AllowCredentials = true
    r.Use(cors.New(config))

and the handler in the backend sets the cookie with

c.SetSameSite(http.SameSiteNoneMode)
c.SetCookie("nameofCookie", jwtSignedToken, int(time.Now().Add(time.Hour*24).Unix()), "", "", true, false)

where secure is true and httpOnly is false. I have this working no problem locally, but in production with different domains, my browser is getting the setcookie header correctly, it doesn't say it is blocked at all but the browser isn't setting the cookie. Any help would be great. Thank you for your time.

I have tried all types of configurations with cors and front end. Spent the better part of 10 hours trying to fix this but no luck.

TKDEV
  • 11
  • 3
  • Your maxAge parameter to SetCookie is bogus. use 3600*24. – Volker Jun 08 '23 at 04:32
  • So changing the maxAge parameter did not help. The browser still doesn't store the cookie. And I am checking the cookie on domainB.com as thats my front end url. So my front end needs to get that cookie then get it's claims to then make future requests to my backend on domainA.com. On local I have my front end on port 3000 and my backend running on port 7000 and with that the browser is able to store the cookie fine and I can access it on my front end and then make future requests. – TKDEV Jun 08 '23 at 15:43
  • I made a mistake about the domains. The cookie is set for the API service (which is `domainB.com`). So if you check the cookies for `domainA.com`, you won't find the cookies there. And you can not read `domainB.com`'s cookies on the page of `domainA.com` (due to the security reason), If you need to get the token on `domainA.com`, you should change the API to return it explicitly. – Zeke Lu Jun 09 '23 at 09:01

0 Answers0