Cookies not set on home end point

We are trying to build a simple zoom app where we want to allow users to do networking within the zoom app.
To achieve this, our flow is simple:

  1. User installs the application - here, we create a user in our system and keep track of the same
  2. It hits the home endpoint that zoom calls on app load - at this point, we generate a token and set an httpOnly and secure cookie which consists of a session token. This session token is critical for our application because all the future APIs that will call our app will have this token. This token will identify the users in our app so we can allow or deny them based on that.

All is working fine, and we are getting hit on the home endpoint, and our code is generating a token and setting it as part of the response back to the app, which is nothing but a redirect URL with the cookie in it.

Though this cookie is httpOnly, secure: accurate as per docs, it’s not being set at zoom client. The only point to note here is our frontend and backend domains are different here.

Example:

Zoom FE URL: jayesh-client.ngrok.io
Backend URL: jayesh-server.ngrok.io

Can someone help drill this down to what can be causing this discrepancy? Is there any other changes we have to make to make this work? The token generation and set via cookie is a very critical piece of our application as it deals with security, so we want to make sure we get it right, and it works so there are no security loopholes.

Hi Jayesh!

Off the bat, the problem seems likely to be your 2 domains. Cookies are domain-specific unless otherwise specified. If what I’m thinking is correct, you could look at 1 or 2 solutions:

  1. Set the cookies from your backend, eg after the redirect
  2. Try enabling subdomains. I wouldn’t go this way first, just because browsers are increasingly strict about cookies. Nonetheless, I think this stack overflow might be a good place to start exploring: http - How do browser cookie domains work? - Stack Overflow