Failing to set cookie for SessionMiddleware due to 'invalid domain' (separate frontend/backend)
I set up Session Middleware with my FastAPI backend to authenticate my React frontend users, which worked with domain=127.0.0.1. Now that I've deployed both my frontend and my backend to two separate servers using Fly.io, the session cookies are no longer being accepted.
My frontend is deployed at XXX-ui.fly.dev, and my backend is deployed at XXX-api.fly.dev.
Here is the CORS config and Session Middleware config for my backend:
origins = [
"https://XXX-ui.fly.dev",
"https://XXX-ui.fly.dev:3000",
]
app.add_middleware(
CORSMiddleware,
allow_origins=origins,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
app.add_middleware(
SessionMiddleware,
secret_key=SECRET_KEY,
https_only=True,
max_age=3600,
same_site="none",
domain="XXX-ui.fly.dev",
)
Checking the devtools when I make the request, you can see the attempt is made to store the cookie, as shown by this screenshot:
The error I get is: Cookie “session” has been rejected for invalid domain.
It says in the SessionMiddleware docs for Starlette that session cookies can be configured for cross-domain requests, so long as the origins are specified (not * wildcard char).
So what am I missing here?
Thanks!!
After reading these MDN cookie docs, I realized that you simply cannot store cookies on cross-domain requests (xxx-UI.fly.dev cannot save a cookie from xxx-API.fly.dev).
The solution was to purchase my own unique domain, and then use DNS to route traffic to either the UI (domain) or the API (a subdomain of my purchased domain). HTTP only cookies can be set for subdomains, but not cross-domain.
This ultimately resulted in the following domain scheme:
- my-app.com (UI)
- api.my-app.com (API)
the subdomain strategy works well.
For the FastAPI Session Middleware config, it looked like this:
app.add_middleware(
SessionMiddleware,
secret_key=SECRET_KEY,
https_only=True,
# 3600s = 1hr
max_age=3600,
same_site="none",
domain=".my-app.com",
)
The . prefixing the domain in .my-app.com allows all subdomains of my-app.com to be accepted as well.
- Trouble Deploying FastAPI Project on Azure Functions or testing locally
- How do I serve a React-built front-end on a FastAPI backend?
- How do I get my FastAPI application's console log in JSON format with a different structure and different fields?
- How to redirect the user to another page after login using JavaScript Fetch API?
- Doing a recursive sqlalchemy selectinload query for a many to many relationship
- How to configure FastAPI logging so that it works both with Uvicorn locally and in production?
- How to generate Long type variable in API spec generated by FastAPI?
- Is it possible to impose the length for a list attribute of the request body with fastapi?
- How to pass URL as a path parameter to a FastAPI route?
- How to upload both Files and a List of dictionaries using Pydantic's BaseModel in FastAPI?
- How to POST both Files and a List of JSON data in FastAPI?
- UVICORN reload inside docker container not working
- Problem with sending FormData with HttpClient from Angular 18 to FastAPI
- How to display uploaded image in HTML page using FastAPI & Jinja2?
- How to upload list of videos in FastAPI using JavaScript/ReactJS and process them with OpenCV?
- How to process files in FastAPI from multiple clients without saving the files to disk
- How to pass a video uploaded via FastAPI to OpenCV VideoCapture?
- How to initialise a global object or variable and reuse it in every FastAPI endpoint?
- How to Upload a large File (≥3GB) to FastAPI backend?
- ValueError: Out of range float values are not JSON compliant error on Heroku, and WSL but not on Windows
- FastAPI - How to specify filename when downloading bytes content using Response class?
- Processing requests in FastAPI sequentially while staying responsive
- Why does thread disorder occur when the FastAPI multithread return generator?
- How to get the updated list of items in Jinja2 template using FastAPI?
- Download PDF file using pdfkit and FastAPI
- How to access FastAPI backend from a different machine/IP on the same local network?
- How to load a different file than index.html in FastAPI root path while using StaticFiles?
- How to return and download Excel file using FastAPI?
- FastAPI runs api-calls in serial instead of parallel fashion
- Browser Cookie never expires