Stack: backend(NestJS, Redis, Postgres), frontend(NextJS)

I got backend running on vps server with nginx configured on domain and frontend running on same domain . Auth is done with Redis session with cookies

Here is main.ts config:

app.use(
    session({
      secret: config.getOrThrow<string>('SESSION_SECRET'),
      name: config.getOrThrow<string>('SESSION_NAME'),
      resave: true,
      saveUninitialized: false,
      cookie: {
        domain: '.exampleurl',
        maxAge: 604800000,
        httpOnly: true,
        secure: true,
        sameSite: 'none',
      },
      store: new RedisStore({
        client: redis,
        prefix: config.getOrThrow<string>('SESSION_FOLDER'),
      }),
    }),
  )
  app.enableCors({
    credentials: true,
    exposedHeaders: ['Set-Cookie'],
    origin: '',
    allowedHeaders: 'Content-Type, Accept, Authorization',
  })

nginx conf:

location / {
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Cookie $http_cookie;  # Передача куки
            proxy_pass_request_headers on;

            proxy_pass_header Set-Cookie;
            proxy_pass_header Access-Control-Allow-Origin;
            proxy_pass_header Access-Control-Allow-Credentials;
            proxy_pass_header Access-Control-Allow-Headers;
            proxy_pass_header Access-Control-Expose-Headers;
            proxy_pass_header Access-Control-Allow-Methods;

            add_header 'Cache-Control' "no-store, no-cache, must-revalidate, max-age=0";
}

The problem is when i hit auth endpoint from frontend the i'm not receiving auth cookie from backend, the response header does not have Set-Cookie.

I tried to run backend locally on https://localhost:8001 and frontend also on https, https://localhost:3000, tested auth with same httpOnly: true, secure: true, sameSite: 'none' settings, i receive cookie it works just perfect, but when it comes to deploy it does not work. Any ideas? Can the nginx be the reason?

Stack: backend(NestJS, Redis, Postgres), frontend(NextJS)

I got backend running on vps server with nginx configured on domain https://backend.exampleurl and frontend running on same domain https://frontend.exampleurl. Auth is done with Redis session with cookies

Here is main.ts config:

app.use(
    session({
      secret: config.getOrThrow<string>('SESSION_SECRET'),
      name: config.getOrThrow<string>('SESSION_NAME'),
      resave: true,
      saveUninitialized: false,
      cookie: {
        domain: '.exampleurl',
        maxAge: 604800000,
        httpOnly: true,
        secure: true,
        sameSite: 'none',
      },
      store: new RedisStore({
        client: redis,
        prefix: config.getOrThrow<string>('SESSION_FOLDER'),
      }),
    }),
  )
  app.enableCors({
    credentials: true,
    exposedHeaders: ['Set-Cookie'],
    origin: 'https://frontend.exampleurl',
    allowedHeaders: 'Content-Type, Accept, Authorization',
  })

nginx conf:

location / {
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Cookie $http_cookie;  # Передача куки
            proxy_pass_request_headers on;

            proxy_pass_header Set-Cookie;
            proxy_pass_header Access-Control-Allow-Origin;
            proxy_pass_header Access-Control-Allow-Credentials;
            proxy_pass_header Access-Control-Allow-Headers;
            proxy_pass_header Access-Control-Expose-Headers;
            proxy_pass_header Access-Control-Allow-Methods;

            add_header 'Cache-Control' "no-store, no-cache, must-revalidate, max-age=0";
}

The problem is when i hit auth endpoint from frontend the i'm not receiving auth cookie from backend, the response header does not have Set-Cookie.

I tried to run backend locally on https://localhost:8001 and frontend also on https, https://localhost:3000, tested auth with same httpOnly: true, secure: true, sameSite: 'none' settings, i receive cookie it works just perfect, but when it comes to deploy it does not work. Any ideas? Can the nginx be the reason?

• node.js
• express
• session
• redis
• nestjs

• 1 Edit your question to include the frontend code that makes the request. You're probably just missing the necessary credentials: 'include' / withCredentials: true property – Phil Commented Mar 12 at 22:10
• Even with credentials include it does not work – Temirlan Commented Mar 13 at 18:33

1 Answer 1

I’ve just written a post about this subject where I encountered these issues. You can find it here: Cookie issues with Passport: why are cookies not sent/stored?

For me, the reason was a missing header in my Nginx configuration:

proxy_set_header X-Forwarded-Proto $scheme;

Without this configuration, the Set-Cookie header cannot be sent.