Home Search Pricing Get inErrata About

Sign in Sign up

Graph/cross-origin-cookie-not-stored

Pattern

Cross-Origin Cookie Not Stored

cross-origin-cookie-not-stored

A recurring cross-origin authentication flow where browser cookie storage/access fails (often appearing in response headers but missing in deployment) because CORS credentials, cookie attributes, and path/expiry semantics don’t align with fetch usage.

Node Details

Public graph metadata

Updated5/1/2026

Connections

30 linked nodes

Axios requests need to work on both client and server in Next.js while switching between DEVICE_TOKEN and AUTH_TOKEN for authentication

Cookie “__vercel_live_token” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict” — deployed it on Vercel. Tension: But i setup cookies in my project like this. Outcome: Then you need to use https://localhost:5000 and not http://localhost:5000.

When the UI calls the `POST /auth/callback/passkey` endpoint. Tension: Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. Outcome: Cloudflare seem to be in the wrong here.

when I refresh my page the cookie gets deleted — I have deployed my sveltekit frontend and python flask backend on vercel. Tension: On localhost, they worked just fine however when I deployed it, the cookies were not persistent. Outcome: it does sets the cookie, but on refresh, the cookie gets disappeared.

Sentry reports a CORS error when the Vue 3 app running on http://localhost:3000 tries to send requests to the Sentry DSN, with the browser blocking the fetch due to a missing Access-Control-Allow-Origin header.

it fails — The code works locally but when I put it on an EC2 machine and change the CORS origins accordingly. Tension: I've checked the URL for 2 hours straight. Outcome: Still the same error below.

Using Fetch from my `index.html` from my `portal.mydomain.com` does not. — Enter `api.mydomain.com` into a browser directly does save my cookie. Tension: I have no CORS errors and the OPTIONS, GET and POST requests all get a 200 response. Outcome: just no cookie, nor can I see the cookie set in my broswer dev tools.

none of customized request headers could be obtained in `UserIdValidationMiddleware` — If the order is reversed, then. Tension: It is not on the axios side. Outcome: Finally, this issue is fixed after reading CORSMiddleware not work and it is related to CORS.

RedirectResponse goes to "/" without the authentication cookie

SessionMiddleware in a FastAPI backend fails to set the session cookie when the React frontend and backend are hosted on different domains/subdomains (e.g., XXX-ui.fly.dev vs XXX-api.fly.dev). The browser rejects the cookie with an 'invalid domain' error and no session is maintained.

were not accessible in js and in browser — Cookies are being set and sent with the next request. Outcome: The problem solved by adding `domain="blueberry.adefe.xyz"` to the cookie in response.

MissingKeyMissing Key-Pair-Id query parameter or cookie value — {urn}/manifest/{derivativeurn}/signedcookies. Tension: I get the following error that suggest I'm missing a header.

Executing an authenticated AWS AppSync GraphQL mutation from a Next.js API route fails with `NoSignedUser: No current user` when using `generateClient()` from `aws-amplify/api`. Attempts to use `generateServerClientUsingCookies` also fail due to incorrect cookie handling/context.

it always return undefined or empty string — I want to get the cookie with my client component. Tension: I am using js-cookie since someone recommend it.

Failed to fetch /api/auth/csrf — while integrating it with Keycloak and a custom base path. Tension: Verified the csrf endpoint manually, but it appears to be unreachable. Outcome: I solved it by manually signout.

Embedding a CPQ web app as an iframe inside Salesforce fails to persist authentication cookies/session for API calls. Login in a new tab isn’t recognized inside the Salesforce iframe, preventing authorized requests.

In an Electron renderer process, cross-origin fetches behave differently in development vs production, with no expected CORS preflight requests visible in production builds. The user also questions whether Electron enforces browser-style CORS and how `nodeIntegration` affects this behavior.

Considerations for CORS (Cross-Origin Resource Sharing) should be taken into account with Option 1 — Option 1 utilizes an absolute URL (https://example.com/project_folder/user) for making AJAX calls. Tension: as it may lead to restrictions when making requests to a different domain. Outcome: Option 2 is often preferred within the same domain due to reduced risks of unintended requests to other domains.

users can only grab jwt token if the provider of the token is public endpoint open to all — a web-app called CoolApp that accesses its server via JWT access+refresh tokens. Tension: what's stopping the user from grabbing these tokens and then creating their own CustomCoolApp? Outcome: you can setup basic CORS policies so that only your app will be whitlested and accessible to the endpoints.

Confusion about cookie authentication versus token authentication

httpOnly cookies are the best way to store tokens safely and protect them from XSS attacks — storing JWTs on the client. Tension: JavaScript won't be allowed to read httpOnly cookies. How would the client handle routes authentication? Outcome: The browser won't automatically set the `Authorization` header like it does with cookies.

the browser prevents a potential CSRF attack and doesn't include the token — The call is to the backend endpoint specified earlier in `redirect_uri`. Tension: I need a browser to include the `ASP.NET_SessionId` cookie in the request. Outcome: If I set the `SameSite` cookie attribute to `None` the endpoint can be reached.

Swagger UI API requests need an Authorization bearer token header for SSO, but the attempted fetch event interception does not catch the outgoing requests.

on Chrome I get an error saying that the CSRF token is mismatched — show a third-party web page (with their approval) in an iframe. Tension: This site has a different domain to my parent site. Outcome: The site displays fine on firefox.

If I check 'Remember Me' in form, this add a cookie with name "REMEMBERME". Tension: I'm implementing custom authenticator. Outcome: your cookie is normal.

Browser requests to the PHP API from a React/Vite app fail with a CORS error when an Authorization header is included. Requests without custom headers work correctly.

req.cookies.jwt is defined in localhost but undefined in deployment — The cookies are being set in the browser. Tension: the only problem is I can't access them. Outcome: Here to ken is undefined.

The browser does not store the refresh token cookie returned by the Django Ninja login endpoint, even though the cookie appears in the response headers and the fetch call uses credentials: 'include'.

Wget before 1.21.1 forwards HTTP Authorization headers to different origins when following cross-origin redirects. — when following cross-origin redirects. Tension: An attacker-controlled server can respond with a 302 redirect to its own domain and capture the victim's credentials. Outcome: This is a critical information-leak vulnerability that affects users who authenticate to legitimate websites and are then redirected to attacker-controlled servers.

throws "Cookies can only be modified in a Server Action or Route Handler" — called from Next.js 15 Server Components (pages, layouts). Tension: The error appears intermittently — only when the session needs refreshing (controlled by `updateAge` config). Outcome: With `updateAge: 300` (5 minutes), it crashes every ~5 minutes for active users.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata