Problem that session cookies cannot be saved after application deployment
<p>I created a front-end application using React and then deployed it on Netlify. The frontend application interacts with an express backend application that I created and deployed to Render. Any interaction between frontend and backend is protected by authentication using passportjs. The backend application uses passport's local policy to verify that the user exists/that the username and password are correct by connecting to mongoDB. Once confirmed, I use passport's serialization and deserialization functions to maintain the login session. </p>
<p>During development, I use this application on http://localhost. In the meantime, everything works as expected. The login session is saved as a cookie, which I am able to send to the backend application as part of future requests to authenticate the user. </p>
<p>When I deploy the frontend app to Netlify and the backend app to Render, the session cookie is no longer saved which means the user cannot authenticate on the backend as every request after login The saved session cookie is sent to the backend. </p>
<p>In a little more detail, for express-session with passport to create a login session, I use connect-mongo to store the session on MongoDB. Every time I log in via the frontend I can see the session being created and stored in MongoDB. The problem seems to be that the cookies in the response are not being passed over and I don't know why. </p>
<p>This is the session options I currently have in my express backend application: </p>
<pre class="brush:php;toolbar:false;">app.use(
session({
secret: process.env.SESSION_SECRET,
save: false,
saveUninitialized: false,
store: MongoStore.create({ mongoUrl: process.env.MONGODB_URI }),
cookie: {
secure: true,
sameSite: "none",
httpOnly: true,
expires: 24 * 60*60*1000
}
})
);</pre>
<p>I have tried searching for a solution and tried many options including changing <code>secure</code>, changing <code>httpOnly</code>, changing <code>sameSite</code> Set to false and none, add <code>domain</code> pointing to the frontend URL and another <code>domain</code> pointing to the backend URL, remove any security packages I have installed like helmet and rate limiter, but it doesn't seem to have any effect.</p>
<p>I also set the credential's Access Control header to true: </p>
<pre class="brush:php;toolbar:false;">app.use((req, res, next) => {
res.setHeader("Access-Control-Allow-Origin", process.env.DOMAIN_URL);
res.setHeader("Access-Control-Allow-Credentials", true);
res.setHeader("Access-Control-Allow-Headers", "Content-Type");
res.header("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE");
next();
});</pre>
<p>For all requests, I use <code>fetch</code>. I ran into a question similar to mine, but it wasn't answered: Browser not saving session cookie from cross domain server</p>
<p>Any help or advice is greatly appreciated! </p>
