Handling cross subdomain requests

I have a use case where the user of my app changes the subdomain for their account and we redirect them to the new subdomain. However, based on my understanding, the FetchOptions#credentials setting is preventing it from passing along the session cookie. so, when the redirect happens they end up getting redirected to the login page instead.

Is there a way to override this setting? Or to catch the request and manually handle it?

Hi, I was looking for this and found Go rails blog about this this may help you. This will help you to share cookies cross subdomains. Happy learning.

Hey @haiderRizvii,

Thanks for your reply. We are good on the Rails side. That is all working as expected. The problem is when I allow Turbo to handle the redirect to the new subdomain the Rails session cookie is nil I believe due to how the fetch request is configured in Turbo.

I’m getting around it now using a Stimulus controller that forces a full page load by setting location.assign(). But this creates what seems like an unnecessary page flicker.

1 Like

@aaricpittman Probably it is needed to allow changing the credentials param Turbo sets in this case to includes and then handle the CORS stuff but the default needs to stay same-origin

btw, this article may be useful Fetch: Cross-Origin Requests

As explained in the article Fetch does not send cookies for different origins (even subdomains)

Hey @marcelolx. Thanks for your response. And that was my question. Is there a way to pass down custom options? From the little I traversing of the Turbo codebase that I did, it did not appear that there was a way, but I also don’t code in JavaScript that much so I thought there might be something I’m missing.

Or if someone knew of a way to manually handle the fetch request but have the turbo session handle the response.

Also, based on my understanding, the credentials option for fetch controls whether or not the client will include the cookies for different origins and the default setting is same-origin which only includes those of the same origin. However, you can set credentials to include and it will include cookies from other origins, Using the Fetch API - Web APIs | MDN.

However, based on that article it sounds like I’ll need the CORS header to explicitly state the domains.