FusionAuth setting wrong domain the the cookie

hamza.chouaibi · 26 Mar 2025, 08:09

I am using custom local domains.

https://auth.domain.test <= FusionAuth
https://app.domain.test <= Angular app

I also tried FusionAuth at https://auth.app.domain.test but I still get the same issue and chrome block the cookie.

I am getting issue with cookies, the domain on cookies is test.

Example: app.at_exp=1742980022; Domain=test; Max-Age=3599; Path=/; SameSite=Lax; Secure

Any idea why we endup wuth Domain=test ?

mark.robustelli · 26 Mar 2025, 15:14

@hamza-chouaibi Can you tell me a little more about how you have FusionAuth configured and what you are trying to do? My assumption is that you are using a JWT. Have you checked the Issuer setting in FusionAuth? Go to Applications -> Edit -> JWT tab.

hamza.chouaibi · 27 Mar 2025, 00:10

@mark-robustelli Thank you for ther reply.

There is my setup.

Local dev environement all running on docker containers with one Nginx acting as proxy for all of them.

All the custom domain are set in /etc/hosts
All domains running on SSL with self signed certificate.

For each test I only change the tld
so it's
Application: https://app.domain.tld
FusionAuth: https://auth.domain.tld

Tested with these .test. .local, .test. and .net

.local, .test amd .internal ending up in errors with the domain test or local

.net, .com and org both woks

for .dev can't even get the SSL to work

We will just use one of the working tld at the moment for all our dev stack.

The only thing in common that I can find for these tls is that they are listed as Reserved domains in https://en.wikipedia.org/wiki/Top-level_domain

mark.robustelli · 27 Mar 2025, 22:27

@hamza-chouaibi Have you been through the FusionAuth and Proxies documentation? Are you sure Nginx has been configured properly?

hamza.chouaibi · 28 Mar 2025, 06:52

@mark-robustelli

Here is a detailed explanation of my tests.

Modifying `/etc/hosts`

I added the following entries to my /etc/hosts file:

127.0.0.1   auth.domain.test
127.0.0.1   app.domain.test

Nginx Proxy Configuration

Authentication Service

server {
    listen 443;
    server_name auth.domain.test;
    ssl_certificate     /etc/nginx/conf.d/ssl/localhost.crt;
    ssl_certificate_key /etc/nginx/conf.d/ssl/localhost.key;

    location / {
        proxy_pass http://EC2-instance-IP:9011;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header "X-Forwarded-Port" "80";
        proxy_http_version 1.1;
    }
}

Application Service

server {
    listen 443;
    server_name app.domain.test;
    ssl_certificate     /etc/nginx/conf.d/ssl/localhost.crt;
    ssl_certificate_key /etc/nginx/conf.d/ssl/localhost.key;

    location / {
        proxy_pass http://app-container:4200;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Testing Different TLDs

I then replaced the .test TLD with several alternatives to determine which ones worked in this local setup. The tested TLDs and their outcomes are summarized in the table below:

TLD	Result
`.local`	Failed
`.test`	Failed
`.internal`	Failed
`.net`	Succeeded
`.org`	Succeeded
`.com`	Succeeded

Nothing changed in all the tests except the TLDs, so I doubt it's an issue with the proxy.

We deciced to use .net for our local dev env and this working fine now for all our develpers.

lokihak188 · 2 Apr 2025, 09:53

@hamza-chouaibi said in FusionAuth setting wrong domain the the cookie io games:

I am using custom local domains.

https://auth.domain.test <= FusionAuth
https://app.domain.test <= Angular app

I also tried FusionAuth at https://auth.app.domain.test but I still get the same issue and chrome block the cookie.

I am getting issue with cookies, the domain on cookies is test.

Example: app.at_exp=1742980022; Domain=test; Max-Age=3599; Path=/; SameSite=Lax; Secure

Any idea why we endup wuth Domain=test ?

The SameSite=Lax attribute restricts the cookie from being sent with cross-site requests. If your application is making requests across subdomains, you may need to adjust this setting to SameSite=None; Secure for cross-origin requests.

o.melvinotieno

@hamza-chouaibi Been having this same exact issue for the last one week. When I stumbled onto this and applied the suggestions here is when it now seems to work. I use the .dev TLD instead.