Follow-up on Express session loses passport user ID on a Safari cookie every week . I am trying to set a domain on cookies in a NodeJS app. Without a domain, I can login on Safari and on Chrome, but Safari logs out the user after 7 days (probably due to Intelligent Tracking Protection), which is why I want to add a domain. When I add domain, I can login on Safari; on Google Chrome, I can only login if I delete the cookie that does not have a domain.

Here is the NodeJS code with a domain:

const session = require('express-session');
const MongoDBStore = require('connect-mongodb-session')(session);

const max_session_ms = 365 * 24 * 60 * 60 * 1000;

// Initialize mongodb session storage to remember users.
const store = new MongoDBStore({
  uri: MONGO_URI,
  expires: max_session_ms,
});


// Enable sessions using encrypted cookies
app.use(
  session({
    cookie: {
      maxAge: max_session_ms,
      sameSite: "lax",
      domain: "ginja",  // <- line added to add a domain to the cookie
      path: "/"  // <- line added to add a domain to the cookie
    },
    store: store,
    secret: "some secret",
    signed: true,
    resave: true,  // Resave when user visits again and extend expiration date.
    saveUninitialized: false,  // Save only explicitly, e.g. when logging in.
    httpOnly: true,  // Don't let browser javascript access cookies.
    secure: true, // Use cookies over https.
  })
);

I had the server running without the lines commented with // <- line added to add a domain to the cookie. I can login on Safari and on Chrome.

I add those two lines and restart the server. I am still logged in on both Safari and Chrome, thanks to the previous cookie.

I log out of the website, which deletes the session in MongoDB, but keeps the cookie on the client. When I login again on Safari: I see the previous cookie without a domain (Domain: ginja probably gets auto-filled) and with a domain (Domain: .ginja, notice the leading period). The ID of the cookie matches the one in the database.

When I do the same thing on Chrome (logout, login again with the server running the code with the domain), I see the previous cookie without a domain (which no longer exists in the database), and a new cookie with a domain set by Express uninitialized, but I am not logged in. I check the MongoDB session collection and I find a session was started, but Chrome did not save that cookie. If I delete the previous cookie without a domain, then I can login.

If I change the code to having a domain, it will work fine for all new users, and all users on Safari, but existing users on Chrome won't be able to login unless they delete cookies or use a private window.

What is the name of this issue with Google Chrome and multiple domains, and how can I fix it?

update

I have the same problem if I include a leading cookie in the domain, i.e. domain:".ginja".

I saw a warning in the console that cookies with SameSite: None; Secure and without Partitioned would be considered third-party cookies and ignored in a next update, but I explicitly allowed all third-party cookies, restarted Chrome, and I have the same problem.

As an experiment, I tried setting a different domain, e.g. ginja when I am running it locally, and neither Safari nor Chrome store the cookie, i.e. I have the same problem. So I believe the issue is that Google Chrome sees this cookie as a cross-domain cookie and ignores it.