Fix reconnect broker: share session cookie across subdomains

Frontend (app.quantfortune.com) fetches API (api.quantfortune.com). With SameSite=Lax the browser won't send the cookie on cross-origin fetch calls, so the server sees no session and the request fails. Adding COOKIE_DOMAIN=.quantfortune.com makes the cookie valid for all subdomains. Mohan needs to add this to .env and restart. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 23:31:46 +05:30 · 2026-05-20 23:31:46 +05:30 · 02922adc9a
commit 02922adc9a
parent 74d8db1de0
2 changed files with 4 additions and 0 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@ -11,6 +11,8 @@ RESET_OTP_SECRET=
 # ── Environment ───────────────────────────────────────────────────────────────
 APP_ENV=production
 CORS_ORIGINS=https://quantfortune.com,https://www.quantfortune.com,https://app.quantfortune.com,https://www.app.quantfortune.com
+# Required when frontend and API are on different subdomains (e.g. app. vs api.)
+COOKIE_DOMAIN=.quantfortune.com

 # ── Database ──────────────────────────────────────────────────────────────────
 DATABASE_URL=postgresql://user:password@localhost:5432/quantfortune
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@ -19,6 +19,7 @@ APP_ENV = (os.getenv("APP_ENV") or os.getenv("ENVIRONMENT") or os.getenv("FASTAP
 IS_PRODUCTION = APP_ENV in {"prod", "production"}
 COOKIE_SECURE = True if IS_PRODUCTION else os.getenv("COOKIE_SECURE", "0") == "1"
 COOKIE_SAMESITE = (os.getenv("COOKIE_SAMESITE") or "lax").lower()
+COOKIE_DOMAIN = (os.getenv("COOKIE_DOMAIN") or "").strip() or None
 if IS_PRODUCTION and not COOKIE_SECURE:
    raise RuntimeError("Secure session cookies are mandatory in production")

@ -33,6 +34,7 @@ def _set_session_cookie(response: Response, session_id: str):
        max_age=SESSION_TTL_SECONDS,
        secure=COOKIE_SECURE,
        path="/",
+        domain=COOKIE_DOMAIN,
    )