crossSubDomainCookies breaks login in production (works on localhost)
Next.jsDoes Better Auth have issues with crossSubDomainCookies when behind a reverse proxy? Are there additional headers or settings needed?
- Caddy reverse proxy (HTTPS termination, forwards to HTTP)
- Domain: app.mydomain.com (main) + .app.mydomain.com (instances)
```
trustedOrigins: [
'https://app.mydomain.com',
'https://.app.mydomain.com'
],
advanced: {
crossSubDomainCookies: {
enabled: true,
domain: 'app.mydomain.com'
}
}
After Google OAuth callback, user gets redirected back to login page. Logs show state_mismatch error.
Localhost with same config (minus HTTPS). What fails: Production behind Caddy proxy.
Environment:
- Next.js 15 (App Router) on port 3000- Caddy reverse proxy (HTTPS termination, forwards to HTTP)
- Domain: app.mydomain.com (main) + .app.mydomain.com (instances)
Server config (auth.ts):
```
trustedOrigins: [
'https://app.mydomain.com',
'https://.app.mydomain.com'
],
advanced: {
crossSubDomainCookies: {
enabled: true,
domain: 'app.mydomain.com'
}
}
``
## Client config:
Symptom:
After Google OAuth callback, user gets redirected back to login page. Logs show state_mismatch error.
What works:
Localhost with same config (minus HTTPS). What fails: Production behind Caddy proxy.
