Cookie Confusion

I'm using

iron-session

iron-session

to store the information necessary for ConnectKit's Sign-In With Ethereum (SIWE) to work on a GitHub pages hosted site backed by Supabase edge functions. (ConnectKit expects to have access to a
/session
/session
endpoint that returns the authenticated user's Ethereum address.)

iron-session

iron-session

stores session information as an encrypted string sent back and forth as a cookie. The problem I'm having is if

SameSite

SameSite

is set to

Lax

Lax

Strict

Strict

, I get an error:

This attempt to set a cookie via a set-cookie header was blocked because it had a

This attempt to set a cookie via a set-cookie header was blocked because it had a

SameSite="Lax"

 attribute but came from a cross-site response which was not a response to a top-level navigation.

 attribute but came from a cross-site response which was not a response to a top-level navigation.

This is because the Supabase edge functions run on a

randomuid.supabase.co

randomuid.supabase.co

host. If I set

SameSite

SameSite

None

None

, I can get the cookie to go through, but I know browsers are increasingly restricting third-party cookies.

Anyone have a suggestion as to how I should restructure my code? The obvious solution would be to use Supabase's session, but because I'm using SIWE, I don't think I have access to it. The Google page on deprecation of third-party cookies lists a few technological alternatives, probably using partitioned cookies is the way to go.

Cookie Confusion

Similar Threads

Cookie Confusion

Similar Threads

Similar Threads

Similar Threads