BA
Better Auth4mo ago
r.

Cookie “__Secure-session_token” has been rejected for invalid prefix.

i really dont know why, but i can't set cookie for client and cant login in my app
26 Replies
Blank
Blank4mo ago
are you trying to set secure cookies on localhost?
r.
r.OP4mo ago
yes but on local host working without __Secure prefix
Blank
Blank4mo ago
secure cookies works on https only
r.
r.OP4mo ago
yea i know on prod with __Secure prefix cookie can't setted
Blank
Blank4mo ago
show your auth config
r.
r.OP4mo ago
with error on console "Cookie “__Secure-session_token” has been rejected for invalid prefix." 
appName: process.env.NODE_ENV === 'production' ? process.env.APP_NAME : process.env.APP_NAME ?? 'Better Auth',
    baseURL: process.env.NODE_ENV === 'production' ? process.env.BETTER_AUTH_URL : 'http://localhost:3000',
    basePath: process.env.BETTER_AUTH_PATH || '/auth',
    trustedOrigins: [process.env.BETTER_AUTH_URL || 'http://localhost:3000', 'http://localhost:5173'],
    secret: process.env.BETTER_AUTH_SECRET || 'secret',
    advanced: {
        useSecureCookies: process.env.NODE_ENV === 'production' ? true : false,
        crossSubDomainCookies: {
            enabled: process.env.NODE_ENV === 'production' ? true : true,
            domain: '.' + process.env.BETTER_AUTH_DOMAIN, // Domain with a leading period
        },
        defaultCookieAttributes: {
            secure: process.env.NODE_ENV === 'production' ? true : true,
            sameSite: 'none',
            httpOnly: true,
            partitioned: false,
        },
        database: {
            generateId: false, // Disable BA ID generation, db will handle it
        },
    },
appName: process.env.NODE_ENV === 'production' ? process.env.APP_NAME : process.env.APP_NAME ?? 'Better Auth',
    baseURL: process.env.NODE_ENV === 'production' ? process.env.BETTER_AUTH_URL : 'http://localhost:3000',
    basePath: process.env.BETTER_AUTH_PATH || '/auth',
    trustedOrigins: [process.env.BETTER_AUTH_URL || 'http://localhost:3000', 'http://localhost:5173'],
    secret: process.env.BETTER_AUTH_SECRET || 'secret',
    advanced: {
        useSecureCookies: process.env.NODE_ENV === 'production' ? true : false,
        crossSubDomainCookies: {
            enabled: process.env.NODE_ENV === 'production' ? true : true,
            domain: '.' + process.env.BETTER_AUTH_DOMAIN, // Domain with a leading period
        },
        defaultCookieAttributes: {
            secure: process.env.NODE_ENV === 'production' ? true : true,
            sameSite: 'none',
            httpOnly: true,
            partitioned: false,
        },
        database: {
            generateId: false, // Disable BA ID generation, db will handle it
        },
    },
Blank
Blank4mo ago
oh god
r.
r.OP4mo ago
i can set true on local for all options and i can set cookie becouse without __Secure prefix
Blank
Blank4mo ago
most things have sensible defaults you dont need to set them like this
Blank
Blank4mo ago
No description
r.
r.OP4mo ago
yea i know okay i changed my config 
appName: process.env.APP_NAME ?? 'Better Auth',
    baseURL: process.env.NODE_ENV === 'production' ? process.env.BETTER_AUTH_URL : 'http://localhost:3000',
    basePath: process.env.BETTER_AUTH_PATH || '/auth',
    trustedOrigins: [process.env.BETTER_AUTH_URL || 'http://localhost:3000', 'http://localhost:5173'],
    secret: process.env.BETTER_AUTH_SECRET || 'secret',
    advanced: {
        useSecureCookies: process.env.NODE_ENV === 'production',
        crossSubDomainCookies: {
            enabled: true,
            domain: '.' + process.env.BETTER_AUTH_DOMAIN, // Domain with a leading period
        },
        defaultCookieAttributes: {
            secure: true,
            sameSite: 'none',
            httpOnly: true,
        },
        database: {
            generateId: false, // Disable BA ID generation, db will handle it
        },
    },
appName: process.env.APP_NAME ?? 'Better Auth',
    baseURL: process.env.NODE_ENV === 'production' ? process.env.BETTER_AUTH_URL : 'http://localhost:3000',
    basePath: process.env.BETTER_AUTH_PATH || '/auth',
    trustedOrigins: [process.env.BETTER_AUTH_URL || 'http://localhost:3000', 'http://localhost:5173'],
    secret: process.env.BETTER_AUTH_SECRET || 'secret',
    advanced: {
        useSecureCookies: process.env.NODE_ENV === 'production',
        crossSubDomainCookies: {
            enabled: true,
            domain: '.' + process.env.BETTER_AUTH_DOMAIN, // Domain with a leading period
        },
        defaultCookieAttributes: {
            secure: true,
            sameSite: 'none',
            httpOnly: true,
        },
        database: {
            generateId: false, // Disable BA ID generation, db will handle it
        },
    },
on http://localhost its working with dev mode and not working with prod mode (its ok) i go setup my app on linux with docker, caddy web server and start with prod mode on https
Blank
Blank4mo ago
and? i am not sure about the proxies but it should work tho
r.
r.OP4mo ago
cuddy with minimal config, only for host static frontend files
Blank
Blank4mo ago
what is your prod domain?
r.
r.OP4mo ago
sorry i cant say buy is subdomain like work.domain.com
Blank
Blank4mo ago
ok
Blank
Blank4mo ago
we have this __Secure automatically applied
No description
Blank
Blank4mo ago
this is only config we have setup
No description
Blank
Blank4mo ago
here is the file if you want https://github.com/Mail-0/Zero/blob/main/apps/server/src/lib/auth.ts
GitHub
Zero/apps/server/src/lib/auth.ts at main · Mail-0/Zero
Experience email the way you want with 0 – the first open source email app that puts your privacy and safety first. Join the discord: https://discord.gg/0email - Mail-0/Zero
M
M4mo ago
@Blank Hey 🙂 Would you mind give me a hint too 🙏 Experiencing a similar issue, but: When I set the cookie manually in Headers, using the session token as a value (received after logging in), auth.api.getSession() method rejects. Do you know why? here is my config related to cookies 
advanced: {
    disableCSRFCheck: false,
    useSecureCookies: false,
    cookiePrefix: 'roho',
    defaultCookieAttributes: {
    secure: true,
    httpOnly: true,
    sameSite: 'lax', // Default to prevent cross-site request forgery attacks
    partitioned: true, // New browser standards will mandate this for foreign cookies
    
    },
}
advanced: {
    disableCSRFCheck: false,
    useSecureCookies: false,
    cookiePrefix: 'roho',
    defaultCookieAttributes: {
    secure: true,
    httpOnly: true,
    sameSite: 'lax', // Default to prevent cross-site request forgery attacks
    partitioned: true, // New browser standards will mandate this for foreign cookies
    
    },
}
I work with Bruno API Client (similar to Postman). Tried via curl too.. KEY: Cookie VALUE: myprefix.session_token=random_sesion_token @Blank hey! you here?
Blank
Blank4mo ago
oh i didnt see this whats your issue?
M
M4mo ago
Im trying to test authentication with a cookie via curl and Postman I use auth.api.getSession() in my middleware to validate the session and let a user create a to-do. this is what i send 
curl --request POST \
  --url http://localhost:8080/todos \
  --header 'content-type: application/json' \
  --cookie 'test.session_token=my_token_from_login' \
  --data '{
  "title": "Todo"
}'
curl --request POST \
  --url http://localhost:8080/todos \
  --header 'content-type: application/json' \
  --cookie 'test.session_token=my_token_from_login' \
  --data '{
  "title": "Todo"
}'
However, it everytime fails to authenticate.. This is from my middleware 
auth.api.getSession({
       query: {
      disableCookieCache: true,
      },
     asResponse: false,
     headers: fromNodeHeaders(headers),
});
auth.api.getSession({
       query: {
      disableCookieCache: true,
      },
     asResponse: false,
     headers: fromNodeHeaders(headers),
});
My better-auth config related to cookies: 
advanced: {
          disableCSRFCheck: false,
          useSecureCookies: false,
          cookiePrefix: 'test',
          defaultCookieAttributes: {
            secure: true,
            httpOnly: true,
            sameSite: 'lax', // Defaults to lax prevent cross-site request forgery attacks
            partitioned: true, // New browser standards will mandate this for foreign cookies
          },
        },
advanced: {
          disableCSRFCheck: false,
          useSecureCookies: false,
          cookiePrefix: 'test',
          defaultCookieAttributes: {
            secure: true,
            httpOnly: true,
            sameSite: 'lax', // Defaults to lax prevent cross-site request forgery attacks
            partitioned: true, // New browser standards will mandate this for foreign cookies
          },
        },
@Blank i'm really confused..
Blank
Blank4mo ago
whats the error?
M
M4mo ago
It just returns null @Blank
No description
M
M4mo ago
Have no idea why to be honest.. Okay, i made it work finally. All good, my middleware works for both bearer and a cookie. Thanks for your help!
r.
r.OP4mo ago
Enable https on your local network and you will have no errors. @Blank @M

Did you find this page helpful?