Cookie Confusion
I'm using
iron-session
to store the information necessary for ConnectKit's Sign-In With Ethereum (SIWE) to work on a GitHub pages hosted site backed by Supabase edge functions. (ConnectKit expects to have access to a /session
endpoint that returns the authenticated user's Ethereum address.)
iron-session
stores session information as an encrypted string sent back and forth as a cookie. The problem I'm having is if SameSite
is set to Lax
or Strict
, I get an error:
This is because the Supabase edge functions run on aThis attempt to set a cookie via a set-cookie header was blocked because it had a
SameSite="Lax"attribute but came from a cross-site response which was not a response to a top-level navigation.
randomuid.supabase.co
host. If I set SameSite
to None
, I can get the cookie to go through, but I know browsers are increasingly restricting third-party cookies.
Anyone have a suggestion as to how I should restructure my code? The obvious solution would be to use Supabase's session, but because I'm using SIWE, I don't think I have access to it. The Google page on deprecation of third-party cookies lists a few technological alternatives, probably using partitioned cookies is the way to go.0 Replies