-
-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session cookie not created when static web app is sitting behind azure front door due to domain mismatch #643
Comments
I am unsure to understand the exact issue, perhaps you can dig it more and show a few examples of when is the domain an issue? (I don't know Azure much) |
Say I have a website with the url example-a.com sitting behind a front door instance with url example-b.com. The user navigates to example-b.com to access the site, but because the site is actually running on example-a.com, iron-session sets example-a.com as the domain when it creates the cookie and so the browser blocks that because it's trying to add that cookie to example-b.com. While it's not the way I'm using it, front door can also be used as a load balancer, which would run into similar issues and I imagine similar issues would happen with non azure load balancers. Not sure there is anything that can be done on your side, so feel free to close this if that's the case. |
For anyone else running into this problem, I did get a recommendation from azure support on how to tackle this issue. Basically it involves forcing all of the environments to use the same url. Their solution can be seen below.
|
I have a nextjs website running on an azure static web app behind azure front door. When an api is called, it gathers some data and creates a session cookie with a redirect response that has a set-cookie header. Unfortunately, this does not work, as the domain iron-session attaches to the cookie does not match the host url and so the browser ignores it with the message
This happens even when I don't set a domain in the cookieOptions object. Is there a way to force iron session to not set a domain on the cookie, like it does when running locally?
The text was updated successfully, but these errors were encountered: