Cookies getting disappeared when page refreshes
I have deployed my sveltekit frontend and python flask backend on vercel. On localhost, they worked just fine however when I deployed it, the cookies were not persistent.
When I login, the cookies are there, however, when I refresh my page the cookie gets deleted. I have set Max-age to 3 days, yet it is disappearing on refresh. I just couldn't understand that.
My frontend domain was: time-master-frontend.vercel.app
My Backend domain was: time-master-backend.vercel.app
Is it because they both are of different domains? Because my other production build (on windows IIS Server) has two separate sub-domains too but they both work...
Here is the screenshot:
As you can see, it does sets the cookie, but on refresh, the cookie gets disappeared and ofcourse I do have credentials: include in all of my requests.
This works great on localhost but idk what happened after the deployment...
Any of your help would be appreciated. Thanks
After some researching, I got to know that vercel.com is a public suffix. Which means if the URL is example.vercel.app then example here is not a subdomain!
It's totally a different domain, because vercel.app is the domain extension. Just like many sites have a domain extension like: myuniversity.edu.in or product.co.uk snd so on...
The reason why companies like Vercel or Render do this, is because there are thousands of websites hosted on Vercel and so, by default they all will share cookies with each other even if they don't intend to. That's why to solve this supercookie problem, they created .vercel.app as a public suffix so that this doesn't happen.
So concluding, example.vercel.app is same as example.com, that is, they both are entirely different domains. And two different domains cannot share cookies like that with each other, that's why they need to be a subdomain or be one the same domain.
You can also refer to this post by Vercel.
What's the risk of sharing cookies?
Suppose you made a site named bank.vercel.app and a user signed into that, and the site cookie is saved at the top level that is, .vercel.app which means, if I create a site like malicious.vercel.app and all the user does is just clicking on the link to the malicious site, then that malicious site could read the login cookies of him that got saved from bank.vercel.app because it's hosted on .vercel.app domain too.
Now those scammers could easily login to their bank accounts. How crazy is that!
That's why Vercel made .vercel.app as a public suffix so that your site's cookie won't be compromised by others on vercel domain.
The Solution
Well, there are two ways to handle this situation:
Method 1:
Send the JWT token through your backend in a text response in JSON when logging in so that your frontend could read the token in it easily.
Now on the frontend side, save the cookie recieved using document.cookie and on every request you send from now on, just attach the saved cookie to the Authorization header and then send the request to the server.
Now on the backend side, you have to tweak your middleware code such that it checks the Authorization header of the request coming in, for verifying and reading cookies instead of reading browser cookies like the old way...
Method 2:
A better way would be to buy a domain name and then you will be actually having the same domains or subdomains, or you could also do both of your frontend and backend on the same stack. That is, using SvelteKit or NextJS as fullstack to never end up with this issue.
You do whatever you want, the important thing is to make sure you're on the same domain name.
- Is there a way to use Bootstrap toast in Flask flashing natively?
- How to Display Image in Flask after a button is pressed
- Python - Extract a PDF page as a jpeg
- Global variables in Flask fail with nginx
- adding user ip and user id to logfile in flask application
- Creating an api in flask without database leads to 405 error
- how to make my python-flask website available 24*7 using nginx and gunicorn
- uwsgi with https getting socket option missing
- Why does form stay in scope between route calls in flask?
- Running celery worker + beat in the same container
- run flask scheduler every hour but at random minutes
- "cannot allocate memory in static TLS block" in a Python Flask application
- Why isn't Safari (and iOS) caching my SVGs?
- Flask-SQLAlchemy Multiple filters on Parent and Child
- Pycharm unable to debug the Python Flask project
- Altering CKEditor Version 4 to include Upload Image
- How to send and receive image as part of http form-data using requests and flask
- Error in Machine Learning Flask App - jinja2.exceptions.TemplateNotFound: index.html
- I get this error - ImportError: DLL load failed while importing _psycopg: The specified module could not be found. what can I do about it?
- Connect to Flask Server from other devices on same network
- Flask writing to file on built-in server but not on remote server
- Flask-Login : Logout_user does not clear session or logout user properly
- pipenv FLASK_APP problems pointing inside folder
- Python - Flask blueprint parameter?
- RuntimeError: You cannot use AsyncToSync in the same thread as an async event loop
- How can I create a request and response with JQuery Ajax and Flask?
- Busy GPIO's Raspberry PI5
- ImportError: No module named bcrypt
- Flask: Is it possible to Mask a URL with variables?
- Flask-Uploads Permission Denied