How to set a same domain cookie with Heroku subdomains?

Question

I have my front end running on one Heroku instance: fe.herokuapp.com

And my back end running on another instance: be.herokuapp.com

I want to set a same domain cookie when a user logs in from the front end.

I am using Koa cookies module to set the cookie like so:

cookies.set("accessToken", token, {
  maxAge: 1000 * 60 * 24,
  signed: true,
  secure: process.env.NODE_ENV === "production",
  httpOnly: true,
  domain: process.env.ORIGIN_HOSTNAME || "localhost"
})

If it helps, I'm using a React front end and a Node back end (using Koa).

Via Postman, my back end returns the following set-cookie header:

accessToken=<access_token>; path=/; expires=Sun, 01 Sep 2019 16:27:24 GMT; domain=.herokuapp.com; secure; httponly

However, via my React app, I can't see any set-cookie headers.

My front end is using isomorphic-unfetch library with credentials = "include". (perhaps this needs to be same-origin since it's on the same subdomain?)

My two questions are:

1. Why can't I set the domain value in my cookie from the back end to be fe.herokuapp.com?
2. Why can I see the set-cookie header via postman but not in my front end React app?

Happy to post more code snippets if need be.

Answer 1

herokuapp.app is listed in Public suffix List which means cookies are blocked from bein set to the domain "herokuapp.com"

you must use custom domain technique