I am using two Google Cloud Run containers to host different applications. I changed the URLs in the question for privacy reasons (the structure stays the same obviously).
- A Laravel Backend which uses Sanctum. This runs on ice-bear-backend-abcde-ey.a.run.app
- A VueJS Frontend which runs on ice-bear-frontend-abcde-ey.a.run.app
I use the following configuration in Laravel:
SANCTUM_STATEFUL_DOMAINS=ice-bear-frontend-abcde-ey.a.run.app
SESSION_DOMAIN=.run.app
The backend therefore returns the following cookies:
However, these cookies are not set by the browser as it rejects the cookies with an error that the domain is not correct.
The Error in Firefox "Cookie “XSRF-TOKEN” has been rejected for invalid domain."
And the same error in Chrome "This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was invalid with regards to the current host URL."
I tested a lot of different configurations for many hours regarding the SameSite (none, lax) and Secure (true ,false). And obviously, there are also different domains for the cookies (.a.run.app or even ice-bear-frontend-abcde-ey.a.run.app). But I can't get this to work. Unfortunately, I don't have a deep understanding of the configuration of Cookies, and all other questions and solutions here that I tested are about having both on the same domain or only the backend on a subdomain. But those solutions I couldn't get to work.
So I hope somebody with more experience than me has an idea of what is still misconfigured.
