35,100 questions
Best practices
0
votes
0
replies
13
views
Safe ways to deliver access tokens to both browser and mobile clients?
After completing a PKCE OAuth2 flow, I want to send the following response:
{
"access_token": "abc...",
"refresh_token": "def...",
"id_token": &...
- 101
-1
votes
0
answers
38
views
How to protect routes in Next.js when auth tokens are stored in HttpOnly cookies? [closed]
I’m using Next.js (App Router) where authentication is handled by the backend.
The backend sets access and refresh tokens in HttpOnly + Secure cookies, so the frontend cannot read token values (which ...
0
votes
0
answers
70
views
Android Zebra / WebView drops session cookie after AJAX login over intranet HTTP, works on desktop browsers (SameSite/Secure?)
I’m running a web app on an intranet IP over plain HTTP and seeing inconsistent login behavior on a Zebra PDA using an Android embedded browser or WebView. Desktop browsers work reliably.
Login is ...
- 140
Best practices
0
votes
0
replies
11
views
Next.js App Router + ASP.NET Core Web API: Best practice for access token in memory and refresh token HttpOnly cookie
I have a Next.js application using the App Router and an ASP.NET Core Web API.
Current authentication model:
Access token: short-lived, intended to be kept in memory
Refresh token: stored as an ...
4
votes
1
answer
111
views
FastAPI backend always returns HTTP 200 on login (even with wrong credentials) and no cookie is set after deployment
I have a React frontend communicating with a backend server. When I run and test both locally, authentication works correctly—failed login attempts return appropriate error statuses (e.g., 401 or 403)....
- 383
0
votes
0
answers
38
views
Safari redirect to authenticated page succeeds, but Safari rejects new authentication cookie
We've integrated with our client to enable seamless authentication across our sites without having to set up OAuth or any other federated stuff. This works for all browsers except Safari, where the ...
- 45
0
votes
0
answers
79
views
Why can’t my client-side Supabase auth read the session after middleware sets cookies in Next.js 16?
I’m using Next.js 16 (App Router) with Supabase SSR auth, and I’m stuck on a mismatch between server-side and client-side auth state.
The server clearly knows the user is authenticated, but the ...
1
vote
0
answers
90
views
How to send HttpOnly cookies (refresh token) to ASP.NET Core backend on localhost?
I’m setting an HttpOnly cookie in the browser every time a user logs in or signs up on my website. This cookie contains a refresh token that I use to get a new access token.
The problem is that the ...
2
votes
1
answer
81
views
Why is this cookie not being passed to Depends function in FastAPI websockets
The browser is sending the cookie with the request, and the cookie is available in websocket.cookies however it becomes None when passed to the get_cookie function.
What is wrong here?
The output is:
...
- 1,228
Tooling
0
votes
0
replies
37
views
How to save user's info/are they logged in in a streamlit app
I am making Streamlit web app for school, and I just made a signup page where the user can enter a first and last name and password. I then store all that in a sql db. I made a working login page, but ...
0
votes
0
answers
87
views
HttpOnly SameSite=None cookie not persisted on mobile, works on desktop
I'm working on a Spring Boot backend with React frontend. I'm setting an HttpOnly cookie for refresh tokens like this:
@NotNull
private ResponseEntity<String> getStringResponseEntity(...
0
votes
3
answers
111
views
In Next.js App Router:, cookie set in server action is not available during initial client render
I encountered a unexpected behavior with cookies in a Next.js when setting a cookie inside a server action and attempting to read it during the initial render of a client component. The server action ...
- 189
-1
votes
2
answers
138
views
How to set cookies from the backend on production? [closed]
I am trying to set cookies from the backend but the frontend (browser) keeps auto deleting them. This only happens on production not on localhost.
The cookie flow is this:
user clicks login with ...
- 433
0
votes
0
answers
74
views
Cookie not transferred after redirect in OAuth2 implementation (works in Chrome, fails in other browsers)
I have an application with my Express server hosted on Render and my React frontend hosted on Vercel. I'm implementing OAuth2 with Google and setting the access token into the oauth_token cookie after ...
0
votes
1
answer
118
views
Get cookies from Chrome while it's instance is running on Windows in python
I tried the libraries like browser_cookie and browser_cookie3 and both fail. Browser Cookie3 does not work for the modern chrome and even though browser_cookie DOES after I tweak it's source code a ...
