Cookies 从非 www 重定向到 www 域名后丢失

Question

My sites are

• https://www.example.com
• https://example.com

If I used https://example.com and login using google oauth2, after redirect back to https://www.example.com my cookies doesn't persists, it's restarted so I'm not able to login. If I use https://www.example.com and redirect back to same https://www.example.com , works fine. I'm not sure if it should be working fine since it is both same domain only doesn't have www . I'm using NGINX ssl certbot, currently my alternative plan is to make my redirect URI dynamic if I can't find solution.

map $sent_http_content_type $expires {
   "text/html"                 epoch;
    "text/html; charset=utf-8"  epoch;
    default                     off;
}

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}


server {

        gzip            on;
        gzip_types      text/plain application/xml text/css application/javascript;
        gzip_min_length 1000;


        location / {
                proxy_set_header Host               $host;
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
                proxy_set_header X-Auth-Request-Redirect "https://www.example.com";
                proxy_cache_bypass                      $http_upgrade;
                proxy_pass                          http://127.0.0.1:3000;
                proxy_http_version      1.1;
                proxy_buffer_size          128k;
                proxy_buffers              4 256k;
                proxy_busy_buffers_size    256k;
                #proxy_cookie_path / "/; SameSite=lax; HTTPOnly; Secure";
        }

        #location /api {
        #       proxy_pass http://127.0.0.1:3333;
        #       proxy_cookie_path / "/; SameSite=none; HTTPOnly; Secure";
        #}

        location /adonis-ws {

                proxy_pass http://127.0.0.1:3333;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_cache_bypass $http_upgrade;
                proxy_connect_timeout 2592000;
                proxy_send_timeout 2592000;
                proxy_read_timeout 2592000;

        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}




server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;



    server_name example.com www.example.com 123.123.123;
    return 404; # managed by Certbot

}

Update

My cookies doesn't share between www and non-www. I decided to force redirect my website to www instead since its working if same origin domain.

Answer 1

It's not something related to NGINX. It is related to browser's way how it deals with cookies. You should have your cookies scoped to parent domain(example.com) and not to subdomain( www.example.com )