Thanks for the quick reply! Ill check that out

Great library by the way 💌

Thanks! 🙌

What made you interested if you dont mind me asking? Seems like you joined our Discord a long time ago?

Im an amateur dev. I was trying to learn how JWT's worked and i came across your website and saw the breakdowns (which were awesome), and the library. So i bookmarked for it use next time i had to write an app

After these changes auth stopped working at all. After login it doesn't set any cookies/localstorage and I'm redirected back to login screen

Same even outside iframe

@User the change that was made is that we set the cookie's sameSite to

none

.

which would only be applied if the domain is https

if the domain is https, and cookies are still not being applied, do you see any error in the console explaining why they are not getting set?

First it tries to send a /refresh requests with no cookies (as I'm logged out) which returns 401 - which is fine

Then it sends /signin request and gets cookies in response

This also looks right

But then it sends /refresh request again with cookies but the server responds without cookies (server clears cookies)

I'm on https

can you try the same without the

antiCsrf

setting on the backend?

If it still doesn't work, I think it's easiest if we can get on a call to debug..

@User I have updated the supertokens-website package to include the

secure

flag. Please delete yarn.lock and run

yarn upgrade

to get that change. Things should work now. A note about session behaviour on safari: We are using antiCsrf VIA_TOKEN for CSRF protection. This is cause your CORS rules for APIs is probably set to allow any origin to query them (cause you are using an iframe) - if this is not true, then you can remove the

antiCsrf

param from your backend config, and ignore this paragraph (in which case we will be using csrf protection via custom headers). If this is true, it means each request sends an anti-csrf token for CSRF protection. This token is store in frontend cookies. Now safari, caps the lifetime of frontend cookies to 7 days (privacy feature). So that means, if a user is using safari, and they don't refresh a session for 7 days, they will get logged out (only for safari). If this is an issue for you, you can set

antiCsrf

to "NONE", and use another anti csrf method that involves injecting the CSRF token in the html (in conjunction to our lib).

Hi @User the signout method from the example didn't work for me. https://supertokens.io/docs/thirdpartyemailpassword/common-customizations/sign-out

* I have a route which is authenticated * I login using supertokens react authentication -- Using the vanilla form * The authenticated route is now accessible * Click on the logout button, which I created using the example * The authenticated route is still accessible

Does the signout API call succeed?

If yes, post sign out, can send a screenshot of all the cookies that are set on your website domain?

if not, what's the error?

Thanks! Its fixed now 👍 I think my server script which was running the auth routes crashed

ahhh ok!

Hey, I was wondering if there was a way to get more detailed error messages? I've setup the FE and BE as per instructions but the sign up still isn't redirecting to '/'? Thanks

you should be seeing the error in your error handlers on the backend.

If you see here: https://supertokens.io/docs/emailpassword/quick-setup/backend#4-add-the-supertokens-error-handler The code snippet says to add your own error handler

app.use((err, req, res, next) => {...});

. Which will get the error that will explain what's wrong.

Thanks @User