I deployed Payload to DigitalOcean and the admin works, I have a nextJS frontend on a different DigitalOcean droplet with different address, I have cors set up correctly and they work because I dont' get cors error if I have the correct address, but when I try to login from front-end (first thing I have to do to access my app) nothing happens. I checked the request and has a warning:

This attempt to set a cookie via set-cookie header was blocked because it has the "SameSite=lax" attribute but came from cross-site response witch was not the response to a top-level navigation.

Why is this happening on the server but not locally? Any idea on how to fix this?

I tried changing to SameSite=none and secure with the cookie settings. Now I don't have the warning anymore but it's still not working, the cookie is set but deleted when refreshing, and of course I'm rerouting with successful login. I have payload hosted on backend.example.app and nextjs on example.app both with https certificated from let's encript

I tried adding domain: "example.app", nothing happens in the frontend, but now payload admin keeps the cookie even after logout for some reason

After more testing I found that nextjs is receiving a cookie with domain: backend.example.app and since that's different from the domain of the frontend it gets deleted and not used

I have no idea of how to solve this, is it even possible to run payload on a subdomain and use http-only cookies? I've some some other talk about it

Finally SOLVED the issue, I just had to set the domain with a dot in front, even though in the mozilla Set-Cookie specs they say leading dots in domain names are ignore, apparently they are not because I can see it in the loaded cookie and now it works for both backend and frontend. Now it actually works with sameSite: "strict" so I left that as more secure.

auth: {
    cookies: {
      secure: true, // (https)
      sameSite: "strict",
      domain: ".example.com",
    },
  },

generator101last year
@902633550963146813
is .example.com your frontend domain or backend? I am hosting frontend in a different domain
filippomasonilast year
sorry for the delay, I didn't receive a notification. example.com is my frontend (nextjs) and backend.example.com is my backend (payload)

In this case I'm not sure what the domain setting in cookies does. I've solved it with trial and error

In my case since the first level domain is the same, the cookie set works for both frontend and backend, so if I login on one the other is automatically logged in, the cookie is shared. If the first level domain is different, than I think you have to set the fronend domain and then it will probably give a separate and different cookie for each domain.

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.