fix: dynamically set session cookie domain based on request hostname

2025-08-02 03:35:18 +02:00 · 2025-01-13 18:06:16 -05:00 · 2025-01-13 18:06:16 -05:00 · 4a36fbb4c1
commit 4a36fbb4c1
parent 062111d7fe
2 changed files with 22 additions and 3 deletions
--- a/frontend/src/routes/login/+page.server.ts
+++ b/frontend/src/routes/login/+page.server.ts
@ -103,19 +103,39 @@ export const actions: Actions = {
 	}
 };

-function handleSuccessfulLogin(event: RequestEvent<RouteParams, '/login'>, response: Response) {
+function handleSuccessfulLogin(event: RequestEvent, response: Response) {
 	const setCookieHeader = response.headers.get('Set-Cookie');
 	if (setCookieHeader) {
 		const sessionIdRegex = /sessionid=([^;]+).*?expires=([^;]+)/;
 		const match = setCookieHeader.match(sessionIdRegex);
 		if (match) {
 			const [, sessionId, expiryString] = match;
+
+			// Get the proper cookie domain
+			const hostname = event.url.hostname;
+			const domainParts = hostname.split('.');
+			let cookieDomain: string | undefined = undefined;
+
+			if (domainParts.length > 2) {
+				// For subdomains like app.mydomain.com -> .mydomain.com
+				cookieDomain = '.' + domainParts.slice(-2).join('.');
+			} else if (domainParts.length === 2) {
+				// For root domains like mydomain.com -> .mydomain.com
+				cookieDomain = '.' + hostname;
+			} else {
+				// For localhost or single-part domains (e.g., "localhost")
+				cookieDomain = undefined; // Do not set the domain
+			}
+
+			console.log('Setting sessionid cookie with domain:', cookieDomain);
+
 			event.cookies.set('sessionid', sessionId, {
 				path: '/',
 				httpOnly: true,
 				sameSite: 'lax',
 				secure: event.url.protocol === 'https:',
-				expires: new Date(expiryString)
+				expires: new Date(expiryString),
+				domain: cookieDomain // Set the domain dynamically
 			});
 		}
 	}