Frontend not receiving cookies sent from backend

TalentedSculptor23 · June 16, 2025, 1:52am

My Setup

I have a full stack application with a backend powered by NestJS, Redis for session management, and Postgres for the database. The backend is hosted on a VPS server using nginx and available at backend.exampleurl.com, while the frontend is accessible at frontend.exampleurl.com. I utilize cookie-based authentication with sessions stored in Redis.

Backend Configuration

app.use(
    session({
        secret: config.getOrThrow<string>('SESSION_SECRET'),
        name: config.getOrThrow<string>('SESSION_NAME'),
        resave: true,
        saveUninitialized: false,
        cookie: {
            domain: '.exampleurl.com',
            maxAge: 604800000,
            httpOnly: true,
            secure: true,
            sameSite: 'none',
        },
        store: new RedisStore({
            client: redis,
            prefix: config.getOrThrow<string>('SESSION_FOLDER'),
        }),
    }),
);
app.enableCors({
    credentials: true,
    exposedHeaders: ['Set-Cookie'],
    origin: 'https://frontend.exampleurl.com',
    allowedHeaders: 'Content-Type, Accept, Authorization',
});

Nginx Configuration

location / {
    proxy_pass http://127.0.0.1:8001;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Cookie $http_cookie;
    proxy_pass_request_headers on;

    proxy_pass_header Set-Cookie;
    proxy_pass_header Access-Control-Allow-Origin;
    proxy_pass_header Access-Control-Allow-Credentials;
    proxy_pass_header Access-Control-Allow-Headers;
    proxy_pass_header Access-Control-Expose-Headers;
    proxy_pass_header Access-Control-Allow-Methods;

    add_header 'Cache-Control' "no-store, no-cache, must-revalidate, max-age=0";
}

The Issue

When I attempt to authenticate from the frontend, the auth cookie is not sent back from the backend; the response lacks the Set-Cookie header entirely.

I’ve tested it locally, running both the backend at https://localhost:8001 and the frontend at https://localhost:3000 with identical cookie settings, and everything works flawlessly. However, once deployed, the cookies fail to transfer. Is it possible that nginx is causing this issue?

Zack_88Surf · June 26, 2025, 4:01am

you might wanna check if the Set-Cookie header is showing up in your backend logs before nginx gets it. sometimes the session middleware doesn’t fire in production. also, double-check that Redis is connecting on your VPS - production networks can mess with session storage.

ZoeString42 · June 26, 2025, 2:27am

nginx is probably stripping your set-cookie header. Add proxy_cookie_domain localhost .exampleurl.com; and proxy_cookie_path / /; to your config. Also double-check that your backend’s actually creating the session - I’ve seen cases where cookie settings look fine but sessions fail silently in prod.

Leo_Curious · June 25, 2025, 10:37am

Your cookie setup looks right, but this is probably a CORS preflight issue. When browsers send OPTIONS requests, nginx might not handle the cookie headers properly in the follow-up POST request. Add explicit OPTIONS handling to your nginx config and make sure your backend session middleware actually triggers during auth. I had the same problem - the session got created but nginx dropped the Set-Cookie header during the proxy response. Check your backend logs to see if the session’s being created, and verify nginx isn’t filtering response headers through security modules or other configs.