Fix Safari dev session cookies in SolidStart v2 templates#257
Open
obask wants to merge 1 commit into
Open
Conversation
Configure H3 session cookies explicitly in the auth, Drizzle, and Prisma templates. The cookies keep HttpOnly, Path=/, and SameSite=Lax, but only set Secure in production. This prevents Safari from losing login state during local development on plain http://localhost while preserving Secure cookies for production. Each template also uses a unique session cookie name to avoid collisions with other localhost apps using H3's default cookie name. H3 session cookie options are configurable through `useSession`: https://h3.dev/examples/handle-session#options
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The SolidStart v2
with-auth,with-drizzle, andwith-prismatemplates rely on H3's default session cookie settings. H3 sets session cookies asSecureby default, which is correct for HTTPS but causes problems in Safari during local development on plainhttp://localhost.In Safari, this makes login appear broken: the sign-in request succeeds, but the session cookie is not preserved across reloads, so the user is sent back to the login flow. That creates some confusion as these templates do not work.
Fix
Configure the H3 session cookie explicitly in the affected templates:
HttpOnlyPath=/SameSite=LaxSecureonly in production(I also checked how Better Auth handles the same local-dev case)
Production deployments still receive
Securecookies becausesecureis enabled whenNODE_ENV === "production".H3 session cookie options are configurable through
useSession:https://h3.dev/examples/handle-session#options
Testing
Before fix in Safari, the session cookie was returned with
Secureonhttp://localhost, and login was not preserved after reload:Tested the updated
with-drizzletemplate with:After fix, Safari stores the session cookie without Secure in local dev:
Note: I initially tested this while experimenting with SSR disabled, but the fix works with SSR enabled as well.