HTTP cookie not storing in browser with Next.js client and Go server

Frontend
1

Issue Description

I’m working on an authentication system where my Go backend sends a cookie containing a refresh token after successful login. The problem is that even though I can see the Set-Cookie header in the browser dev tools, the cookie never gets stored in the browser.

Setup Details

  • Client: https://webapp.example.com
  • Backend: https://backend.example.com

Backend Cookie Implementation (Go)

http.SetCookie(response, &http.Cookie{
    Name:     "AUTH_TOKEN",
    Value:    tokenData.RefreshValue,
    Expires:  time.Now().Add(30 * 24 * time.Hour),
    HttpOnly: true,
    SameSite: http.SameSiteNoneMode,
    Secure:   true,
    Path:     "/",
    Domain:   "https://webapp.example.com",
})

Frontend API Call (Next.js)

const response = await fetch("https://backend.example.com/token-refresh", {
  headers: {
    "Content-Type": "application/json",
  },
  method: "POST",
  credentials: "include",
});

What I’ve Checked

  • The Set-Cookie header shows up correctly in network requests
  • Cookie has SameSite=None and Secure=true for cross-origin requests
  • Using credentials: "include" in fetch calls

Questions

  1. Why might the browser refuse to store this cookie?
  2. What additional configuration might be needed for cross-domain cookie handling?
2

Your Domain attribute is causing the problem. You can’t set a cookie for a domain that’s different from your backend domain. Your backend runs on backend.example.com but tries to set a cookie for webapp.example.com - browsers block this for security reasons. Remove the Domain attribute completely from your cookie config. This makes it default to your backend domain. Then update your frontend to make requests to the backend domain where the cookie actually lives. Or you could set up same-origin auth or use a shared parent domain like .example.com if you control both subdomains.

3

had the same issue too - ur Domain setting’s off. it shud be just webapp.example.com, leave out https://. domain field only needs the name, not the protocol.

4

interesting cross-domain setup! are u testing in chrome? it’s been really strict about third-party cookies lately. also, are your CORS headers configured properly on the backend?