Frontend (app.quantfortune.com) fetches API (api.quantfortune.com).
With SameSite=Lax the browser won't send the cookie on cross-origin
fetch calls, so the server sees no session and the request fails.
Adding COOKIE_DOMAIN=.quantfortune.com makes the cookie valid for
all subdomains. Mohan needs to add this to .env and restart.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Session cookie was scoped to api.quantfortune.com only.
Setting COOKIE_DOMAIN=.quantfortune.com in .env makes the
cookie shared across all subdomains so app.quantfortune.com
can authenticate against api.quantfortune.com.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
