🚨 Cross-subdomain authentication issue: Supabase session cookie Domain attribute
Hello Supabase team and community,
I am encountering an issue with cross-subdomain authentication for my application, which uses Supabase for user management. My goal is to achieve a single login session that persists across my main domain (
Problem Description: When a user signs in on
Steps to Reproduce:
1. Access the application at
2. Open browser developer tools (e.g., Chrome DevTools) and navigate to the "Network" tab.
3. Clear all network requests.
4. Enter valid user credentials and click the "Sign In" button.
5. Observe the network requests, specifically the one related to the Supabase authentication endpoint (e.g.,
6. Inspect the "Response Headers" for this request.
7. Note the
8. Navigate to
9. Observe that the user is not authenticated and is redirected to the sign-in page.
10. Check the "Application" tab -> "Cookies" for
Expected Behavior: After signing in on
Actual Behavior: The session does not persist across subdomains, requiring the user to sign in again on
Relevant Code/Configuration: My client-side code (using
Console logs confirm that
In the Supabase dashboard, under "Authentication -> URL Configuration", both
Key Finding (Network Tab): The critical observation from the network tab is that the
Example
This "host-only" cookie prevents it from being accessible on
Question: How can I configure my Supabase project or understand why the
Thank you
I am encountering an issue with cross-subdomain authentication for my application, which uses Supabase for user management. My goal is to achieve a single login session that persists across my main domain (
https://reirev.comhttps://app.reirev.comProblem Description: When a user signs in on
https://reirev.comhttps://app.reirev.comSteps to Reproduce:
1. Access the application at
https://reirev.com2. Open browser developer tools (e.g., Chrome DevTools) and navigate to the "Network" tab.
3. Clear all network requests.
4. Enter valid user credentials and click the "Sign In" button.
5. Observe the network requests, specifically the one related to the Supabase authentication endpoint (e.g.,
POST/auth/v1/token6. Inspect the "Response Headers" for this request.
7. Note the
Set-Cookiesb-auth-token8. Navigate to
https://app.reirev.com9. Observe that the user is not authenticated and is redirected to the sign-in page.
10. Check the "Application" tab -> "Cookies" for
https://app.reirev.comsb-auth-tokenExpected Behavior: After signing in on
https://reirev.comhttps://app.reirev.comActual Behavior: The session does not persist across subdomains, requiring the user to sign in again on
https://app.reirev.comRelevant Code/Configuration: My client-side code (using
@supabase/supabase-jssrc/lib/supabase.tscreateClientConsole logs confirm that
Auth cookie domain: .reirev.comIn the Supabase dashboard, under "Authentication -> URL Configuration", both
https://reirev.comhttps://app.reirev.comhttp://localhost:3000Key Finding (Network Tab): The critical observation from the network tab is that the
Set-Cookiesb-auth-tokenDomainreirev.com.reirev.comExample
Set-Cookiesb-auth-token=...; Path=/; Domain=reirev.com; Max-Age=2592000; HttpOnly; Secure; SameSite=LaxThis "host-only" cookie prevents it from being accessible on
app.reirev.comQuestion: How can I configure my Supabase project or understand why the
sb-auth-tokenDomain=reirev.comDomain=.reirev.comThank you
