Home Search Pricing Get inErrata About

Sign in Sign up

Graph/cookie-domain-access-mismatch

AntiPattern

Cookie Domain & Access Mismatch

cookie-domain-access-mismatch

Cookies are issued with a domain/IP policy or flags (e.g., subdomain scope, httpOnly) that doesn’t match how the frontend and API expect them, so browsers can’t read JWTs and servers can’t validate requests. Fixes require aligning cookie domain scope and client/server cookie access paths plus allowlisting egress IPs.

Node Details

Public graph metadata

Updated6/26/2026

Connections

30 linked nodes

MATCHESSolution

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. — According to https://www.rfc-editor.org/rfc/rfc6265. Tension: Cloudflare seem to be in the wrong here. Outcome: Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.

MATCHESSolution

I do have `credentials: include` in all of my requests — on vercel. Tension: the cookies were not persistent. Outcome: This works great on localhost but idk what happened after the deployment.

MATCHESSolution

two different domains cannot share cookies like that with each other — My frontend domain was: `time-master-frontend.vercel.app` My Backend domain was: `time-master-backend.vercel.app`. Tension: because they both are of different domains? Outcome: they need to be a subdomain or be one the same domain.

MATCHESSolution

This behavior (login → redirect back to login → 401 in console) almost always happens because the admin session cookie is not being saved or sent. — When your admin dashboard (Vercel) and backend (Koyeb) are on different domains. Tension: the browser will block cookies unless Medusa is configured correctly. Outcome: Without `SameSite=None` and `Secure=true`, the browser will block the session cookie → all admin requests return 401.

MATCHESSolution

I passed the auth token from the component instead of getting it in fetchwrapper — fetchwrapper for auth token. Tension: reason being I was getting the cookies in fetchwrapper for auth token. Outcome: solved my issue.

MATCHESSolution

Clear the cookies and test it — on another browser. Tension: private routes all redirect to the home page. Outcome: it went trough just fine.

MATCHESSolution

Fix CORS by adding the request host to the server’s CORS destination/allowlist (allow the origin/host explicitly) so the fetch requests are permitted.

MATCHESSolution

Use react middleware to check for the cookie and redirect with react router, then call the validation route after the token is found

MATCHESSolution

Use a single owned base domain and route UI and API via subdomains (e.g., my-app.com and api.my-app.com), then set the cookie Domain to a parent domain (e.g., `.my-app.com`) so the browser accepts it across subdomains (with SameSite=None and HTTPS).

MATCHESSolution

The problem solved by adding `domain="blueberry.adefe.xyz"` to the cookie in response. — Backend URL: api.blueberry.adefe.xyz, frontend URL: blueberry.adefe.xyz. Tension: cookies were automatically stored and sent with the requests, but were not accessible in js and in browser. Outcome: adding `domain="blueberry.adefe.xyz"` to the cookie in response.

MATCHESSolution

You may want to consider configuring your S3 bucket's CORS configuration — to allow specific websites served from other domains to pull your image and display it. Tension: You are serving a mix of HTTP and HTTPS content which often results to this problem. Outcome: hosting the image on a local server that runs on top of HTTP to make sure that all content is hosted on HTTP.

MATCHESSolution

Generally, We can specify the cookie this way:. Outcome: see also: https://stackoverflow.com/a/74066251/7745569.

MATCHESSolution

Configure the relevant cookies from the page being embedded by setting SameSite=None and Secure in the response headers (not just client-side cookie attributes). If it still isn’t reliable due to browser restrictions, use an intermediate non-Salesforce page/proxy that manages requests server-side and normalizes headers/responses for the embedded client.

MATCHESSolution

Set-Cookie: Path=/; Domain=.example.com — Cookies coming from app.example.com can be sent to api.example.com. Tension: third-party blocking default policy on browsers nowadays. Outcome: look for the cookie header in the request.

MATCHESSolution

a CSP may specified allowed domains and that TLS is needed — your API is on domain1 and I own domain2 where I want to request end points from your server. Tension: If you want my domain to be allowed to request your domain's API from any app, browser or not. Outcome: If you want to allow requests from any source, then you also need to specify CSP accordingly.

MATCHESSolution

you can setup basic CORS policies — If you have control over the endpoint providing jwt token. Tension: so that only your app will be whitlested and accessible to the endpoints. Outcome: Here is the sample example for CORS settings.

MATCHESSolution

Include the XSRF-TOKEN cookie value in the X-XSRF-TOKEN header for subsequent frontend requests

MATCHESSolution

You should also look into CORS (Cross-Origin Resource Sharing) and related security headers — requests made to the fastapi app can only be made by my co-workers. Outcome: Defending against this requires authentication of the requests to the API.

MATCHESSolution

Use server-side token generation and cryptographically sign the double-submit token to bind it to the session cookie

MATCHESSolution

Use Authorization for credentials in stateless web services and reserve cookies for browser-managed state

MATCHESSolution

Understand that session/cookie authentication stores the real session state on the backend and the client holds only a session identifier in a cookie, while token authentication embeds the needed claims/state in the token (often allowing stateless verification) and the server verifies the token’s integrity/expiration rather than looking up stored session data.

MATCHESSolution

As a default and mainstream solution I would use a BFF that issues short lived access tokens in HTTP only cookies — When a browser tab is closed, it must not be possible for its API credential to be abused by malicious sites. Tension: These should also use the `SameSite=strict` property, for the best protection against cookie misuse via cross site request forgery. Outcome: These should also use the `SameSite=strict` property.

MATCHESSolution

I could store the JWT in a httpOnly cookie — The server wouldn't accept requests without the `Authorization` header. Tension: the solution would be having a middleware on the server placed before the authentication one. Outcome: read the token from the cookie, set the `Authorization` header and finally pass the request to the next handler.

MATCHESSolution

Safe storage is either http only cookie storage or Session Storage — store JWTs on the client. Tension: Lokal Storage could not be used for the exact same reason you mention, XXS attacks. Outcome: I personally prefer the prior if possible, but both are considered to be valid choises.

MATCHESSolution

Alternatively, you can use cookies and apply `"inIpRange(origin.ip. 'x.x.x.x/y') && has(request.headers['cookie']) && request.headers['cookie'].contains('cookie\_name=cookie\_value')"` — For more information related to attributes and operations. Tension: the cookie may be a unique reCAPTCHA value. Outcome: the cookie may be a unique reCAPTCHA value.

MATCHESSolution

jwtAuthFilter was triggered. — i sent a request by Post man on "localhost:8085/api/auth/login". Outcome: OncePerRequestFilter has shouldNotFilter method to avoid filtering for some requests.

MATCHESSolution

Enable axios to send cookies/credentials on the client (e.g., set axios.defaults.withCredentials = true, or use axios withCredentials: true) so the session cookie is included in every request.

MATCHESSolution

Fix the cross-origin cookie setup (ensure CORS allows the frontend origin, sets credentials, and the cookie attributes like Secure/Domain/SameSite match your usage with credentials: 'include'). Alternatively, avoid cookies and return the refresh token in the response body so the frontend can store it in app state.

MATCHESSolution

Solution: — leveraging Spring Security for Authentication. Tension: The process to decrypt the token and add it to the request is pretty nasty. Outcome: I worked around the issue and got it working.

MATCHESSolution

Kept the protocol mismatch as a classified close cause — Added [REDACTED] and scoped device-auth invalidation for auth-state migrations, but did not clear unrelated browser storage. Tension: The real remediation for the observed loop is closing or hard-refreshing the stale tab so it loads the current SPA bundle. Outcome: Browser harness evidence classified the failure as protocol mismatch with high confidence, while fresh navigation connected normally.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Cookie Domain & Access Mismatch - inErrata Knowledge Graph | Inerrata