I'm working on a NextJS project where I have multiple apps on separate subdomains. My goal is to login in one app and automatically signed in at every other. We're using nookies as cookie handler, creating a cookie with a JWT token payload received from an API. I thought if I set the cookie domain manually then it's going to set the cookie on the main domain but it did not happen.
Here's what I've tried:
setCookie(
null,
"token",
`JWT ${data.tokenAuth.token}`,
{
maxAge: 29 * 24 * 60 * 60,
path: "/",
domain: process.env.NEXT_PUBLIC_COOKIE_DOMAIN,
}
);
I've set the NEXT_PUBLIC_COOKIE_DOMAIN
as "example.com"
and ".example.com"
, neither of them worked, my cookie was always set to the current subdomain. I also got the idea to put the login page under "example.com/login" to set the cookie on the main domain so I can access it everywhere, but I wonder if there's a solution to avoid it. I've already read about RFC 6265, from which I assume it's only possible from the main domain, yet the tracking we're using somehow can assign ".example.com" for it's cookie. What am I missing? Thanks for replies in advance.
To ensure cookies are shared across subdomains, set the domain attribute with a leading dot (e.g., ".example.com"). Avoid using SameSite: Strict for cross-site requests; instead, consider None with caution. Secure cookies are vital for HTTPS sites. Set the path attribute to "/" for domain-wide access. Verify the environment variable NEXT_PUBLIC_COOKIE_DOMAIN is correctly configured. Test your setup using browser tools to confirm the cookie's correct domain and attributes. These steps are crucial for effective cross-subdomain cookie sharing.
Here's an example of how you might set the cookie using nookies:
import { setCookie } from "nookies";
// Set cookie with domain and other attributes
setCookie(null, "token", `JWT ${data.tokenAuth.token}`, {
maxAge: 29 * 24 * 60 * 60, // 29 days
path: "/",
domain: process.env.NEXT_PUBLIC_COOKIE_DOMAIN, // Should be ".example.com"
secure: true, // Set to true if served over HTTPS
sameSite: "None", // If necessary for your use case
});