How to set a same domain cookie with Heroku subdomains?
herokuapp.app
is listed in Public suffix
List which means cookies are blocked from bein set to the domain "herokuapp.com"
you must use custom domain technique
Stuck with this issue for some time. What I figured out:
- Need add proxy attribute to app:
const app = new Koa()app.proxy = true
- Extend cookies options with sameSite attribute:
cookies.set("accessToken", token, { maxAge: 1000 * 60 * 24, signed: true, secure: process.env.NODE_ENV === "production", httpOnly: true, domain: process.env.ORIGIN_HOSTNAME || "localhost", sameSite: 'none' // <-- add this})
Before that I bought a domain for my app. Frontend app point to "domain.com", and Backend app point to "api.domain.com". But now I am not sure if it was necessary.