Cookies are empty when site comes from redirect

[indify-co]

Hello! I've been trying to debug this issue for weeks and have not been able to find a solution to it, so any help would be greatly appreciated.

Context

I have a NextJS app that stores a session cookie to allow the user to remain logged in. Once logged in, the user can open a checkout session in Stripe, which then passes in a redirect URL for Stripe to use when the user is done with the checkout flow.

Normally, when Stripe redirects back to my website, I would expect the user's session cookie to be available so that I can keep them logged in. This session cookie is read from getInitialProps in _app.js, and is used to load a logged-in view.

The problem

Currently when Stripe redirects back to my website, the cookies are empty so the user appears logged out. Only when I refresh the page do the cookies actually get populated.

I noticed in the network tab that when Stripe redirects back, this sets the Sec-Fetch-Site header to cross-site, meanwhile refreshing it manually sets it to same-origin. Is it possible this header is causing this behavior?

[Manikanta-20]

@indify-co
facing same issue

[pawelmiklas]

@indify-co @Manikanta-20 How did you solve the problem?

[elijah-stytch]

One workaround i've found is setting the cookie in the response header

// serialize() can be found by importing: import {serialize} from 'cookie';
var token = "some random string"
res.setHeader('Set-Cookie', serialize(process.env.COOKIE_NAME as string, token, { path: '/' }));

Then you can read the cookies in the request OR from the cookies directly. Something like:

var cookie = req.cookies[process.env.COOKIE_NAME as string] || '')

[AimeSoleil]

It might be related to the cookie policy.

See @richard Garside's answer: https://stackoverflow.com/questions/40781534/chrome-doesnt-send-cookies-after-redirect/66601926#66601926

[darphiz]

You have to set the cookie samesite attribute to "lax"
type Site = boolean | "lax" | "strict" | "none" | undefined const sameSite:Site = "lax" const options = { ...ctx, maxAge: expires_in * 2, path: "/", sameSite, };

[dhanan-doodle]

facing same issue

[RayHughes]

Setting the cookie as lax over strict will fix the issue

[MatMakSolutions]

facing the same issue in dot net core 5, I have set the cookie same site to lax, and the problem is still there,
to note that the testing website has no issue at all and works perfectly as the API and the MVC project are on the same server but the production website has API and the MVC projects on different servers, Does this have a related effect also I am facing the problem in all the servers except Edg, it works fine?