Vercel Community

[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Help](/c/help/9)

# Cookies aren't stored in the browser after deployment

1005 views · 7 likes · 22 posts


Rawda Yasser (@rawda-yasser) · 2025-03-24

<!-- Questions that get answered the fastest are the ones with relevant info included in the original post. Be sure to include all detail needed to let others see and understand the problem! -->
i am building a full stack web app using expressJS for the backend and NextJS for the frontend. I have built the **/login** endpoint and it's working fine *locally*. However, it didn't work after I deployed it on vercel. 

<!-- Current versus Expected behavior -->
The problem is that I send a cookie from the backend and it's working fine but it's not stored in the browser after deployment. It's working fine on localhost.


<!-- Code, configuration, and steps that reproduce this issue -->

```js
export const login = async (req, res) => {
    try {
        const { username, password } = req.body;

        // Check user exists
        const user = await prisma.user.findUnique({ where: { username } });
        if (!user) return res.status(401).json({ message: "Invalid credentials" });

        // Check correct password
        const isValidPassword = await bcrypt.compare(password, user.password);
        if (!isValidPassword) return res.status(401).json({ message: "Invalid credentials" });

        // Generate a cookie tooken
        const age = 1000 * 60 * 60 * 24 * 7; // 7 days

        const token = jwt.sign({ id: user.id }, process.env.JWT_SECRET, { expiresIn: age });
        const { password: password_, ...userInfo } = user;
        const isProduction = process.env.NODE_ENV === "production";

        return res.cookie(
            "token",
            token, {
            httpOnly: true,
            secure: isProduction,
            sameSite: isProduction ? "none" : "lax",
            path: "/",
            // domain: isProduction ? '.vercel.app' : ".localhost",
            partitioned: isProduction,
            maxAge: age,
        }
        ).json({ message: "Login successful", data: userInfo });

    } catch (err) {
        console.log(err)
        return res.status(500).json({ message: "Failed to login" })
    }
}
```
```
// api/index.js
 import express from 'express';
import dotenv from "dotenv";
import authRoutes from "../routes/auth.route.js";
import cookieParser from 'cookie-parser';
import cors from "cors";
const port = process.env.PORT || 4000;
dotenv.config()

const app = express();
app.set('trust proxy', 1);
app.use(cors({
    origin: process.env.CLIENT_URL,
    credentials: true,
}))
app.use(express.json());
app.use(cookieParser());
app.use("/api/auth", authRoutes);

app.get("/", (req, res) => {
    return res.send("It works");
})
app.use((_err, _req, res, _next) => {
    res.status(500).json({
        status: 'Failed',
        message: 'Something went wrong',
    });
});


app.listen(port, () => console.log(`server running at ${port}`));

export default app;
```
```
// axios config
import axios from "axios";
export const apiRequest = axios.create({
    baseURL: `${process.env.NEXT_PUBLIC_API_URL}/api`,
    withCredentials: true,
})
// frontened
const res = await apiRequest.post("/auth/login", {
        username,
        password,
 });
```
<!-- Project information (URL, framework, environment, project settings) -->


system (@system) · 2025-03-24

If you're having trouble deploying an Express app, this guide can help.

https://vercel.com/guides/using-express-with-vercel

You can also ask [v0](https://v0.dev/) for suggestions tailored to your own project setup.


Rawda Yasser (@rawda-yasser) · 2025-03-24

Also it's sending the cookies correctly from the backend
![Screenshot from 2025-03-24 14-07-27|532x404](upload://kXjEn7zjcHM1v5xlaZQHkoBhxQS.png)


Anshuman Bhardwaj (@anshumanb) · 2025-03-25 · ♥ 1

Hi @rawda-yasser, welcome to the Vercel Community!

I think this issue is most likely to be related to the allowed domain. Can you share the domain where is the express backend hosted and where is the Next.js frontend hosted?


Rawda Yasser (@rawda-yasser) · 2025-03-25

This is the **backend**
https://rawdaymohamed-my-estate-backend.vercel.app/

This is the **frontend**
https://rawdaymohamed-my-estate.vercel.app/


Rawda Yasser (@rawda-yasser) · 2025-03-25

@anshumanb is that what you mean?


Rawda Yasser (@rawda-yasser) · 2025-03-26

@anshumanb Can you show what you mean by allowed domains? 
Everything is working correctly in the deployment except the cookie storage in the browser. The backend is connected correctly to the frontend
```
app.use(cors({
    origin: process.env.CLIENT_URL,
    credentials: true,
}))
```


Anshuman Bhardwaj (@anshumanb) · 2025-03-26

[quote="Rawda Yasser, post:1, topic:7549, username:rawda-yasser"]
```
        return res.cookie(
            "token",
            token, {
            httpOnly: true,
            secure: isProduction,
            sameSite: isProduction ? "none" : "lax",
            path: "/",
            // domain: isProduction ? '.vercel.app' : ".localhost",
            partitioned: isProduction,
            maxAge: age,
        }
        ).json({ message: "Login successful", data: userInfo });
```
[/quote]


Hi @rawda-yasser, I think in the `domain` isn't set properly here. As per [MDN docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#domaindomain-value):

> Contrary to earlier specifications, leading dots in domain names (`.example.com` ) are ignored.

So, you should set the domain to `rawdaymohamed-my-estate.vercel.app` exactly.

Can you give this a try?


Rawda Yasser (@rawda-yasser) · 2025-03-26

[quote="Anshuman Bhardwaj, post:8, topic:7549, username:anshumanb"]
rawdaymohamed-my-estate.vercel.app
[/quote]
@anshumanb I tried it but it still doesn't store cookies in the frontend
```
export const login = async (req, res) => {
    try {
        const { username, password } = req.body;

        // Check user exists
        const user = await prisma.user.findUnique({ where: { username } });
        if (!user) return res.status(401).json({ message: "Invalid credentials" });

        // Check correct password
        const isValidPassword = await bcrypt.compare(password, user.password);
        if (!isValidPassword) return res.status(401).json({ message: "Invalid credentials" });

        // Generate a cookie tooken
        const age = 1000 * 60 * 60 * 24 * 7; // 7 days

        const token = jwt.sign({ id: user.id }, process.env.JWT_SECRET, { expiresIn: age });
        const { password: password_, ...userInfo } = user;
        const isProduction = process.env.NODE_ENV === "production";

        return res.cookie(
            "token",
            token, {
            httpOnly: true,
            secure: isProduction,
            sameSite: isProduction ? "none" : "lax",
            path: "/",
            domain: isProduction ? 'rawdaymohamed-my-estate.vercel.app' : "localhost:4000",
            maxAge: age,
        }
        ).json({ message: "Login successful", data: userInfo });

    } catch (err) {
        console.log(err)
        return res.status(500).json({ message: "Failed to login" })
    }
}
```

![Screenshot from 2025-03-26 10-56-39|690x471](upload://wnJsLvMRebeHGJEPBsFs2vjWCox.png)


Anshuman Bhardwaj (@anshumanb) · 2025-03-26

Oh I see. Can you confirm if `isProduction` is true in the deployed version of your app? Also, can you share a response from the deployed app so we can see what the `set-cookie` header contains.


Rawda Yasser (@rawda-yasser) · 2025-03-26

Yes the `NODE_ENV` is set to production
These are the responses
![Screenshot from 2025-03-26 12-41-38|690x472](upload://hFrKy7sR62I6KIacDpWfqC6l8Dm.png)

![Screenshot from 2025-03-26 12-41-56|690x472](upload://bn2SXeFyajICBBWMfa4lH36BfKh.png)


Anshuman Bhardwaj (@anshumanb) · 2025-03-26

Hi @rawda-yasser, can you try the same in another browser? You are using Firefox which might have default settings to ignore cookies.

Related post: https://support.mozilla.org/ml/questions/1261091


Rawda Yasser (@rawda-yasser) · 2025-03-26 · ♥ 1

@anshumanb it saves cookies on chrome but once I refresh the browser the cookies are gone


Anshuman Bhardwaj (@anshumanb) · 2025-03-27

Hi @rawda-yasser, I'd recommend reading up on the latest Cookies features and changes. There might be some changes in how browsers now treat the SameSite and Domain settings.

This isn't a Vercel issue as such, but we can continue to debug this together. Feel free to share your findings.


Rawda Yasser (@rawda-yasser) · 2025-03-27

 Sure, can you provide me with some resources? I'd appreciate it


Anshuman Bhardwaj (@anshumanb) · 2025-03-27 · ♥ 1

Hi @rawda-yasser, sure. I'd say for all web related queries MDN is the most reliable source.

I recommend you to give these docs a read:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies 
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie
- https://developers.google.com/privacy-sandbox/cookies/basics/cookie-attributes


Rawda Yasser (@rawda-yasser) · 2025-03-27 · ♥ 1

I will check them and try again. Thanks


Surav (@suravshrestha13) · 2025-06-15 · ♥ 1

@rawda-yasser 
I'm having the same issue with my app, did you solve this issue?


Tolvumal 7091 (@tolvumal-7091) · 2025-09-16 · ♥ 2

I also have the same exact issue, it is like the Domain parameter is not working, even if setup exactly as the domain being used. Would be really nice to see if anyone resolved this issue.


halls00 (@arturoproal) · 2025-09-25

Have you got news? I have the same exact problem


halls00 (@arturoproal) · 2025-09-26

I solved it for me!! problem was my API fetch calls were server actions. Server actions don’t pass the Cookie from the backend to the client, and from the client to the server.


Rohit Yadav (@rohityadavse-8035) · 2025-10-01

yes this is a vercel issue, here is an article for you to read (Only fix is to use custom domain, not vercel one):

https://vercel.com/guides/can-i-set-a-cookie-from-my-vercel-project-subdomain-to-vercel-app