Home Search Pricing Get inErrata About

Sign in Sign up

Graph/cross-subdomain-cookie-mismatch

Pattern

Cross-Subdomain Cookie Mismatch

cross-subdomain-cookie-mismatch

A recurring cookie/session issue where authentication cookies set for one host (e.g., api.mydomain.com or blueberry.adefe.xyz) are not sent or readable by another subdomain (portal.*), requiring explicit domain scoping and session handling alignment.

Node Details

Public graph metadata

Updated4/30/2026

Connections

30 linked nodes

Cookie “__vercel_live_token” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict” — deployed it on Vercel. Tension: But i setup cookies in my project like this. Outcome: Then you need to use https://localhost:5000 and not http://localhost:5000.

When the UI calls the `POST /auth/callback/passkey` endpoint. Tension: Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. Outcome: Cloudflare seem to be in the wrong here.

when I refresh my page the cookie gets deleted — I have deployed my sveltekit frontend and python flask backend on vercel. Tension: On localhost, they worked just fine however when I deployed it, the cookies were not persistent. Outcome: it does sets the cookie, but on refresh, the cookie gets disappeared.

I was facing the same error during build — That's my home page. Where I am using FeaturedVacancies. Tension: reason being I was getting the cookies in fetchwrapper for auth token. Outcome: solved my issue.

django.security.csrf: Forbidden (Origin checking failed - https://sentry-domain.com does not match any trusted origins.) — /account/recover/ (status_code=403 request=<WSGIRequest: POST '/account/recover/'>). Tension: when it comes to login (correct or wrong username and password). Outcome: It is solved by some steps.

Using Fetch from my `index.html` from my `portal.mydomain.com` does not. — Enter `api.mydomain.com` into a browser directly does save my cookie. Tension: I have no CORS errors and the OPTIONS, GET and POST requests all get a 200 response. Outcome: just no cookie, nor can I see the cookie set in my broswer dev tools.

RedirectResponse goes to "/" without the authentication cookie

AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption. Tension: redirects uris not matching.

SessionMiddleware in a FastAPI backend fails to set the session cookie when the React frontend and backend are hosted on different domains/subdomains (e.g., XXX-ui.fly.dev vs XXX-api.fly.dev). The browser rejects the cookie with an 'invalid domain' error and no session is maintained.

were not accessible in js and in browser — Cookies are being set and sent with the next request. Outcome: The problem solved by adding `domain="blueberry.adefe.xyz"` to the cookie in response.

stripe login returns unexpected http status code: 403

Checkout redirect can be faked by appending the success query string or spoofing the HTTP referer

MissingKeyMissing Key-Pair-Id query parameter or cookie value — {urn}/manifest/{derivativeurn}/signedcookies. Tension: I get the following error that suggest I'm missing a header.

Executing an authenticated AWS AppSync GraphQL mutation from a Next.js API route fails with `NoSignedUser: No current user` when using `generateClient()` from `aws-amplify/api`. Attempts to use `generateServerClientUsingCookies` also fail due to incorrect cookie handling/context.

it always return undefined or empty string — I want to get the cookie with my client component. Tension: I am using js-cookie since someone recommend it.

Failed to fetch /api/auth/csrf — while integrating it with Keycloak and a custom base path. Tension: Verified the csrf endpoint manually, but it appears to be unreachable. Outcome: I solved it by manually signout.

If at all I login in a new tab and close it. Tension: A Session needs to be maintained for authentication and authorization. Outcome: How can I achieve it?

Embedding a CPQ web app as an iframe inside Salesforce fails to persist authentication cookies/session for API calls. Login in a new tab isn’t recognized inside the Salesforce iframe, preventing authorized requests.

A SPA calls a backend API (B) which must call another downstream API (C) on behalf of the signed-in user. The question is how to pass/obtain appropriate tokens so B can call C without unsafe or inappropriate token handling (e.g., forwarding an identity token).

the cookie will be specifically set with `domain=app.sunsetland.com.au`. Tension: if we were to host another subdomain aside from `app.`, we actually would likely encounter the reCAPTCHA challenge again.

Considerations for CORS (Cross-Origin Resource Sharing) should be taken into account with Option 1 — Option 1 utilizes an absolute URL (https://example.com/project_folder/user) for making AJAX calls. Tension: as it may lead to restrictions when making requests to a different domain. Outcome: Option 2 is often preferred within the same domain due to reduced risks of unintended requests to other domains.

callback request is not secure enough for production

A Rails cookie_store session cookie decrypted from production contains no explicit timestamp fields, so it’s unclear how Rails determines when the session should expire to prevent session replay attacks.

can I create, from 2. and 3. a server side httpOnly cookie (containing a `widget_id`) of domain `mycompany-example.com`, that can be used during step 5. Outcome: when the user visits our website so we know which widget they come from ?

Client-side double-submit CSRF token generation is vulnerable to subdomain hijacking

Confusion about cookie authentication versus token authentication

httpOnly cookies are the best way to store tokens safely and protect them from XSS attacks — storing JWTs on the client. Tension: JavaScript won't be allowed to read httpOnly cookies. How would the client handle routes authentication? Outcome: The browser won't automatically set the `Authorization` header like it does with cookies.

the browser prevents a potential CSRF attack and doesn't include the token — The call is to the backend endpoint specified earlier in `redirect_uri`. Tension: I need a browser to include the `ASP.NET_SessionId` cookie in the request. Outcome: If I set the `SameSite` cookie attribute to `None` the endpoint can be reached.

on Chrome I get an error saying that the CSRF token is mismatched — show a third-party web page (with their approval) in an iframe. Tension: This site has a different domain to my parent site. Outcome: The site displays fine on firefox.

If I check 'Remember Me' in form, this add a cookie with name "REMEMBERME". Tension: I'm implementing custom authenticator. Outcome: your cookie is normal.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata