Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nf_jwt cookies are not sent with requests to other subdomains #414

Open
jamesking opened this issue Jan 8, 2021 · 3 comments
Open

nf_jwt cookies are not sent with requests to other subdomains #414

jamesking opened this issue Jan 8, 2021 · 3 comments

Comments

@jamesking
Copy link

I have a login site hosted at login.example.com. This site uses the Netlify Identity Widget and a Netlify Identity instance to allow users to login.

After logging in, a nf_jwt is saved as a cookie as expected.

I have a protected site hosted at protected.example.com. This uses Netlify's Role Based Access Control to deny access and redirect visitors back to the login site if they do not have a valid nf_jwt cookie and a valid role of team.

Here is my _redirects file for the protected.example.com site.

/* 200! Role=team
/* https://login.example.com 302!

I was expecting the nf_jwt created when logging into login.example.com to be sent with all requests to protected.example.com and therefore enable access to the protected site. However, this is not the case.

When inspecting the cookies sent with the request to protected.example.com in Chrome DevTools you can see that the cookie is blocked from the request by the browser:

Screenshot 2021-01-08 at 16 48 23

Hovering on the i icon for the reason the cookie is filtered states that:

This cookie was blocked because neither did the request's URL domain exactly match the cookie's domain, nor was the request URL's domain a subdomain of the Cookie's Domain attribute value

To try a workaround, I moved the protected site to a be a subdomain of the login site to see if that would work. With the same setup as before, except the protected site has been moved to protected.login.example.com.

This seemed to make no difference, which is strange because the request's domain is definitely a subdomain of the cookie's Domain attribute value. Chrome still blocked the cookie from being sen in the request header.

When the identity widget saves the nf_jwt cookie, is there a way for it to work across subdomains of the same domain?

This Netlify tutorial seems to show it can be done.
@mdbenito mdbenito mentioned this issue May 9, 2021
Open
@its-kayes
Copy link

I had the same issues and still can't figure out how to solve them.

@CodingSamrat
Copy link

I'm getting the same issue. Still finding the solution 😕😕😕

@its-kayes
Copy link

I had the same issues and still can't figure out how to solve them.

I do solve my issues by declaring the domain property while setting the cookie on response.

res.cookie(name, token, {
      httpOnly: true,
      maxAge: time,
      secure: true,
      sameSite: 'none',
      domain: 'example.com',
    });

Note: If you are using a sub-domain, then just declare the main domain name; it should work. There is no need to declare all of your sub-domains.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jamesking @its-kayes @CodingSamrat