I am working on a website and I separated my front-end from my back-end, both have their domain:
FE : website.domain.com
BE : be.website.domain.com
I am struggling with cookies, since it is the first time I work with it. When a user is registering on the front-end, it create post request to the back-end, where the user is added to DB and the back-end is supposed to send back a session token within a cookie. This works really fine when I test it from the API docs (using fatsAPI), but does not from the front-end.
I think it is an issue due to cross origin, but the post request does work, the cookie is set as follow:
response.set_cookie("session", token_char, secure=True, httponly=False, max_age=7200, domain="domain.com", samesite="None", path="/")
I also set both the FE server and the BE server with the following parameters
app.add_middleware(
CORSMiddleware,
allow_origins=["https://website.domain.com","https://be.website.domain.com"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
Yes the cookie is well received in the header of the post response. I know the cookie is not set because:
- it can not be found via JavaScript.
- it is not displayed in the storage from Mozilla/Chromium/LibreWolf
Or, if it was previously set through the API, i can read it but the value is the old one and not the newly generated one, that I can see, in the network tab and on the server console (debug print)
I specifically verified that all cookies where accepted in two of those browsers.
More information can be found at the open repo for the project even though it is only being started: https://github.com/Hirofine/MagiMathicArt
Edit as solved (kind of):
Since I could not figure a way to do it, I moved the register and login page to be served by the back-end server. There I can set the cookie on the domain "domain.com" and access it from my front-end.
This is not something I really like since I have to use the back-end server to server Front-end files, but the other solutions I could have gone with was to send the token in the response from the post request, and then either set the cookie using javascript, or redirect to a page served by the back-end that would set the cookie and then redirect to the front-end which is kind of equivalent to my actual solution except it makes the token travel way more on the network, and I would probably be required use javascript to send it between the pages.
If a better answer is proposed here, or I find a better solution, I will update, in the mean time, my solution seems to work