Set Cookie Behaviour in Frontend and Backend across browsers
Closed this issue · 0 comments
anku255 commented
Backend Cookies ("Set-Cookie" Header)
Case 1:
- websiteDomain: http://example.com:3000
- apiDomain: http://example.com:3001
- cookieDomain: "example.com"
Cookie Domain in the DevTools:
- Chrome -
.example.com
| Response Headers | Cookies |
|---|---|
 |
 |
- Firefox -
.example.com
| Response Headers | Cookies |
|---|---|
 |
 |
- Safari -
.example.com
| Response Headers | Cookies |
|---|---|
 |
 |
Frontend Cookies (document.cookie)
Summary
- If the cookie is set using a domain (
supertokens.com) then a leading dot is added by the browsers. To remove this cookie the domain must be present in the remove cookie string. - If the cookie is set without a domain then browsers do not add the leading dot. To remove this cookie the domain must not be present in the remove cookie string.
The test is performed on https://supertokens.com using the following code sample:
// Setting cookie with a domain
document.cookie = "foo=bar; expires=Fri, 23 Jun 2025 12:00:00 UTC; path=/; domain=supertokens.com"
// Removing cookie with a domain
document.cookie = "foo=bar; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=supertokens.com"
// Setting cookie without a domain
document.cookie = "foo=bar; expires=Fri, 23 Jun 2025 12:00:00 UTC; path=/;"
// Removing cookie without a domain
document.cookie = "foo=bar; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/;"Screen Recording -
chrome_cookie.mov
firefox_cookie.mov
safari_cookie.mov
st-website sessionTokenFrontendDomain behaviour
Case 1:
- websiteDomain: http://example.com:3000
- apiDomain: http://example.com:3001
- sessionTokenFrontendDomain: "example.com"
Cookie Domain in the DevTools:
- Chrome -
example.com
| Cookies |
|---|
 |
- Firefox -
example.com
| Cookies |
|---|
 |
- Safari -
example.com
| Cookies |
|---|
 |
Case 2:
- websiteDomain: http://example.com:3000
- apiDomain: http://example.com:3000
- sessionTokenFrontendDomain: "example.com"
Cookie Domain in the DevTools:
- Chrome -
example.com
| Cookies |
|---|
 |
- Firefox -
example.com
| Cookies |
|---|
 |
- Safari -
example.com
| Cookies |
|---|
 |
NOTE:
The behaviour on the st-website (leading dot not getting added by the browsers) can be attributed to the fact that we remove the domain attribute while setting the cookie if sessionTokenFrontendDomain matches the hostname which would be the case if the url is example.com:3000 and the sessionTokenFrontendDomain is example.com. This code can be found here.
Browser Versions
This test used the following browser versions -
- Chrome - 126.0.6478.63 (Official Build) (arm64)
- Firefox - 127.0.1 (64-bit)
- Safari - 17.2.1 (19617.1.17.11.12)