SupabaseS
Supabase6mo ago
John Johnson

🚨 Cross-subdomain authentication issue: Supabase session cookie Domain attribute

Hello Supabase team and community,

I am encountering an issue with cross-subdomain authentication for my application, which uses Supabase for user management. My goal is to achieve a single login session that persists across my main domain (https://reirev.com) and its subdomain (https://app.reirev.com).

Problem Description: When a user signs in on https://reirev.com, the session is not recognized when they navigate to https://app.reirev.com. Instead, they are redirected back to the sign-in page on the subdomain, indicating that the authentication session is not being shared.

Steps to Reproduce:

  1. Access the application at https://reirev.com.
  2. Open browser developer tools (e.g., Chrome DevTools) and navigate to the "Network" tab.
  3. Clear all network requests.
  4. Enter valid user credentials and click the "Sign In" button.
  5. Observe the network requests, specifically the one related to the Supabase authentication endpoint (e.g., 
    POST
     to /auth/v1/token).
  6. Inspect the "Response Headers" for this request.
  7. Note the Set-Cookie header for sb-auth-token.
  8. Navigate to https://app.reirev.com in the same browser session.
  9. Observe that the user is not authenticated and is redirected to the sign-in page.
  10. Check the "Application" tab -> "Cookies" for https://app.reirev.com; the sb-auth-token cookie is not present or not accessible.
Expected Behavior: After signing in on https://reirev.com, the user's session should be recognized and persist when navigating to https://app.reirev.com, allowing for a seamless single sign-on experience across subdomains.

Actual Behavior: The session does not persist across subdomains, requiring the user to sign in again on https://app.reirev.com.

Relevant Code/Configuration: My client-side code (using @supabase/supabase-js) is configured to request the session cookie for the root domain. In src/lib/supabase.ts, the createClient call includes:

export const supabase = createClient<Database>(supabaseUrl, supabaseAnonKey, {
  auth: {
    storageKey: 'sb-auth-token',
    autoRefreshToken: true,
    persistSession: true,
    detectSessionInUrl: true,
    cookieOptions: {
      domain: getRootDomain(), // getRootDomain() returns '.reirev.com'
      path: '/',
      sameSite: 'lax',
      secure: process.env.NODE_ENV !== 'development',
      maxAge: 60 * 60 * 24 * 30, // 30 days
    }
  }
});


Console logs confirm that Auth cookie domain: .reirev.com is being passed to the Supabase client.

In the Supabase dashboard, under "Authentication -> URL Configuration", both https://reirev.com and https://app.reirev.com (along with http://localhost:3000 and specific reset password URLs) have been added to the "Site URL" and "Redirect URLs".

Key Finding (Network Tab): The critical observation from the network tab is that the Set-Cookie header for sb-auth-token returned by the Supabase server is setting the Domain attribute as reirev.com (without the leading dot), instead of .reirev.com.

Example Set-Cookie header observed: sb-auth-token=...; Path=/; Domain=reirev.com; Max-Age=2592000; HttpOnly; Secure; SameSite=Lax

This "host-only" cookie prevents it from being accessible on app.reirev.com.

Question: How can I configure my Supabase project or understand why the sb-auth-token session cookie is being issued with Domain=reirev.com instead of Domain=.reirev.com from the server side, despite the client requesting the latter? Is there a specific setting in the Supabase dashboard or a known behavior for custom domains that needs to be addressed to ensure the cookie is issued for the root domain?

Thank you ❤️
Was this page helpful?