3

I have a working sign up and sign in end point when using desktop browsers (only Chrome), but when trying to sign up or sign in using a mobile browser, the server times out. I suspect this is because my session cookies and csurf cookies are not being sent over with my fetch request.

I have opened Safari development on my mobile browser, and it does not show any cookies. I suspect now that this is because of MaxAge --

Note that my api and client are on separate domains, Heroku and Netlify. See the code below:

CORS Options

const options = {

  origin: "clientUrl",
  methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
  allowedHeaders: [
    "Content-Type",
    "Access-Control-Allow-Headers",
    "Access-Control-Allow-Origin",
    "Authorization",
    "csrf-token"
  ],
  exposedHeaders: [
    "Content-Type",
    "Access-Control-Allow-Headers",
    "Access-Control-Allow-Origin",
    "Authorization",
    "csrf-token"
  ],

  maxAge: 3600,
  preflightContinue: true,
  credentials: true
};

CSURF Config 

app.use(
  csurf({
    cookie: true,
    domain: "clientUrl",
    sameSite: "none"
  })
);

Express Session Config

app.use(
  session({
    //This is our Encryption Key
    secret: process.env.sessionCode,
    //We set resave to false because our mongo store implements the "touch" function
    resave: false,
    //We Set saveUninitialized to false because we don't want to save unmodified
    //sessions to our mongo store
    secure: true,
    domain: "clientUrl",
    saveUninitialized: false,
    unset: "destroy",
    sameSite: "none",
    store: new MongoStore({
      mongooseConnection: mongoose.connection,
      //We encrypt out store code
      code: process.env.storeCode
    })
  })
);
sideshowbarker
  • 72,859
  • 23
  • 167
  • 174
WriterState
  • 187
  • 17
  • Have you checked the cookie Preferences of the mobile browser ? If it was disabled somehow then you code might be failed. – Pengson Dec 18 '19 at 02:31
  • Yeah - it allows them. :( – WriterState Dec 18 '19 at 02:45
  • Can you confirm that the save fetch request on the same page does carrier any cookie and send to service successfully? – Pengson Dec 18 '19 at 02:48
  • On desktop it has to, or else the sign in auth wouldn’t work. – WriterState Dec 18 '19 at 03:23
  • I thought maybe this was an issue with third party cookies not being allowed in mobile. – WriterState Dec 18 '19 at 03:24
  • Hopefully, https://subinsb.com/set-same-cookie-on-different-domains/ would help. – Pengson Dec 18 '19 at 03:37
  • @sideshowbarker - do you have any insight into this? It's working fine in Chrome and Firefox. Just not Safari. – WriterState Dec 21 '19 at 23:42
  • Sorry, no, I don’t have any insight beyond just the fact it’s not related to CORS (which is why I removed the [cors] tag). If there were any CORS problem, the browser would be logging a specific CORS error in the devtools console. So I think you can at least rule out there being any problems in your CORS config. – sideshowbarker Dec 21 '19 at 23:46
  • I'm not sure I agree - it works on localhost. Something in safari is not allowing CORs – WriterState Dec 22 '19 at 00:21
  • What's your chrome version? – vidu.sh Dec 26 '19 at 19:53
  • Safari does not allow cross-domain cookies. Maybe this will help: https://stackoverflow.com/questions/408582/setting-cross-domain-cookies-in-safari – basdanny Dec 27 '19 at 16:46
  • There appears to be no way around the issue, Safari needs the setting to be changed manually. Having a cross domain api is an awful idea for session management. – WriterState Dec 27 '19 at 20:25
  • I just launched my web app and ran into the same problem. Chrome on iOS seems to have jumped on the same bandwagon. No cross domain cookies, meaning iphones cant log in to my site :/. What did you end up doing? – Chano Jun 11 '21 at 06:14
  • @Chano I never found a solution. I wound up simply hosting the front end on the same domain as the backend. – WriterState Jul 01 '21 at 01:35

0 Answers0