app could not receive secure cookies from client.

I had no problem receiving cookies when I use Railway apps, but today I’ve switched my server from Railway to Fly.io and I’m facing an unexpected issue right now.

I have added a custom domain and everything works fine but accepting the cookies.
The server log indicates that the cookies are empty.

Any ideas why? I’m not gonna post server side code here for now. I don’t think the code is the actual problem.

Hi,

Hmm. I haven’t moved an app from Railway before, however i’d guess that if secure cookies are not being set, it would be because the app assumes the connection to it is not secure/encrypted. That would be confirmed if you can set non-secure cookies (which would confirm the domain is not the issue, it is the secure bit it’s not happy about).

For example Nodejs will refuse to set a secure cookie if it thinks the connection to it is not encrypted.

Depending on your language/app, it may need to look for a header and/or trust the (now) Fly proxy to be reassured it is encrypted. And so can set a secure cookie with confidence. Again, to take nodejs (as an example) it needs to know it is behind a proxy e.g:

So how exactly that is done depends on the language and how you have Fly set up (whether using its proxy or not), but should be easy to add. Someone will have moved such a [language] app before, I’m sure :slight_smile:

Thanks for the response @greg
I have tested non-secure cookies in my local env. And I’m pretty sure that my NextJS application is sending a request via secure connection.

Just an FYI, I haven’t set anything related to Fly. Should I set the proxy in order to make it work?

Hmm :thinking:

Well I guess the first thing I’d check is that the cookie exists to be sent (in response to a prior set-cookie header from the domain). You could check that in your browser, look at your domain, and see if the cookie is listed. That should show its properties too. For example if it’s set for a path /xyz and your app is now not at that path (as a result of the move), the cookie would not be sent and so the server would not receive it. Or if any other attribute it has indicate why the browser would not send it.

On the other hand, if you look at the network tab and click the request that should have it, and indeed see the browser is sending the cookie … but the server is not receiving it … that’s odd. Since Fly’s proxy wouldn’t remove it - it would pass the headers along to your app, as-is. The only thing I can think of there is maybe if you are using signed and/or encrypted cookies in your app (not sure what nextjs defaults to), and the secret used to verify the cookie signature is not set in Fly (e.g in a secret ENV) but is in your local env, the cookie could be sent to the app on Fly but not appear because the signature failed. So it would be dropped by a middleware. Total guesses I’m afraid!

1 Like

Well @greg, I’ve found what the problem was. I’ve checked the request cookies and the domain was set it incorrectly. The domain supposed to be “.customdomain.com” but I set it like “dev.customdomain.com”. During the migration from Railway to Fly, I think I changed the env variable with a strange string.
Thank you for your time @greg. You gave me an idea to solve this stupid mistake. :slight_smile:

1 Like

@jeffminsungkim No problem at all. You’re welcome :slight_smile:

1 Like