Hi! I'm still working on getting cookie based session management working locally. i'm currently blocked because although cookie policy is now flexible I cannot set the cookie to work on localhost. My request is to allow the session cookies to not have a domain to allow for localhost cookie development

@colossal-appointment-48082 keep us posted. I'll also ensure we get a guide for this added soon. @dazzling-oyster-96577 FYI.

@colossal-appointment-48082 I think the problem is that you have there localhost.com, if you want to remove it and have empty domain, you should remove it also from the custom domain. Then, default will be empty (which is api.descope.com)

ohh I didn't know that api.descope.com was defaulted to empty domain good tip! Okay the cookie seems to be set! my app doesn't work yet but is probably be a me problem. i'll do some investigating

cool, let us know

Okay I got to the bottom of it. if no domain is set the browser will infer the domain to set. in this case the base url is our prod url

<http://auth.app.dopt.com|auth.app.dopt.com>

so the cookie's domain is set to

.<http://auth.app.dopt.com|auth.app.dopt.com>

which doesn't work for localhost. and we can't set the localhost domain because it isn't part of the custom domain.

Adding @orange-belgium-27264 to this thread.

ohhhh

right

alright then as far as I can tell this is the only solution. set up an nginx reverse proxy to trick the browser. and this nginx config works for me when the cookie's domain is left blank

events {
}
http {

  server 
  {
    listen 80;
    server_name _;

    location / {

      if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '<http://localhost:8080>';
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Referer,Sec-Ch-Ua,Sec-Ch-Ua-Mobile,Sec-Ch-Ua-Platform,User-Agent,X-Descope-Sdk-Name,X-Descope-Sdk-Version';
      add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }
       proxy_ssl_server_name on;
       proxy_pass <https://auth.app.dopt.com/>;
       proxy_read_timeout  60;
       proxy_set_header          X-Real-IP       $remote_addr;
       proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
}

hi @colossal-appointment-48082, I hope you understand this is part of how cookies work, the host that sends the Set-Cookie header cannot provider a different unrelated domain

yeah I do! this really just seems to be a browser limitation

yes, that’s why ngrok and other tunnels are an essential tool for development of online services

totally! its just first time we had to do it in our stack for local dev but that's okay. it seems inevitable

hi @colossal-appointment-48082 I see your SameSite setting is Strict, can you try setting it to None and try with localhost? third party cookies should work with SameSite none, I was able to test it locally

ahh it doesn't let me set the sameSite attribute because we can't set the custom domain for dev to the same one as prod. and a localhost app url isn't allowed