Error setting cookie after deploy

default discord avatar
2 months ago

I deployed Payload to DigitalOcean and the admin works, I have a nextJS frontend on a different DigitalOcean droplet with different address, I have cors set up correctly and they work because I dont' get cors error if I have the correct address, but when I try to login from front-end (first thing I have to do to access my app) nothing happens. I checked the request and has a warning:

This attempt to set a cookie via set-cookie header was blocked because it has the "SameSite=lax" attribute but came from cross-site response witch was not the response to a top-level navigation.

Why is this happening on the server but not locally? Any idea on how to fix this?

I tried changing to SameSite=none and secure with the cookie settings. Now I don't have the warning anymore but it's still not working, the cookie is set but deleted when refreshing, and of course I'm rerouting with successful login. I have payload hosted on and nextjs on both with https certificated from let's encript

I tried adding domain: "", nothing happens in the frontend, but now payload admin keeps the cookie even after logout for some reason

After more testing I found that nextjs is receiving a cookie with domain: and since that's different from the domain of the frontend it gets deleted and not used

I have no idea of how to solve this, is it even possible to run payload on a subdomain and use http-only cookies? I've some some other talk about it

Finally SOLVED the issue, I just had to set the domain with a dot in front, even though in the mozilla Set-Cookie specs they say leading dots in domain names are ignore, apparently they are not because I can see it in the loaded cookie and now it works for both backend and frontend. Now it actually works with sameSite: "strict" so I left that as more secure.

auth: { cookies: { secure: true, // (https) sameSite: "strict", domain: "", }, },
  • default discord avatar
    2 months ago

    @filippomasoni is your frontend domain or backend? I am hosting frontend in a different domain

  • default discord avatar
    2 months ago

    sorry for the delay, I didn't receive a notification. is my frontend (nextjs) and is my backend (payload)

    In this case I'm not sure what the domain setting in cookies does. I've solved it with trial and error

    In my case since the first level domain is the same, the cookie set works for both frontend and backend, so if I login on one the other is automatically logged in, the cookie is shared. If the first level domain is different, than I think you have to set the fronend domain and then it will probably give a separate and different cookie for each domain.

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!


Connect with the Payload Community on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.