Login fails on subdomain deployments (e.g., Zeabur) due to incorrect Set-Cookie Domain, works with custom zone apex domain #180
Description
Hi Team,
I am currently working on creating an official template for OpenPanel on Zeabur (https://zeabur.com/), a modern PaaS platform. While the template itself is largely functional, I've encountered a critical issue with the login process that significantly hinders its usability on such platforms.
Problem:
After successfully registering a new account, the subsequent login attempt consistently fails when deployed on a subdomain provided by Zeabur (e.g., xxx.zeabur.app). Upon inspecting the network requests, I observe an API call that fails to redirect, and the browser console shows a Set-Cookie related error:
This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was invalid with regards to the current host url.
Context:
The issue arises because the Set-Cookie header incorrectly sets the Domain attribute to zeabur.app instead of .zeabur.app (or the full subdomain xxx.zeabur.app). This mismatch prevents the browser from setting the session cookie, subsequently blocking successful user login.
Crucial Observation:
Interestingly, I conducted an experiment and found that deploying OpenPanel with a custom domain (specifically, a zone apex like mydomain.com) works as expected. This confirms that the problem is specific to subdomain deployments and not a general cookie handling issue or a Zeabur-specific limitation. When using a custom root domain, the Set-Cookie's Domain attribute correctly matches the host.
Screenshots:
Troubleshooting Steps Taken:
I have attempted various solutions to resolve this Set-Cookie problem without success. I also searched your official Discord server and found that another user encountered a very similar issue when deploying to Railway (another PaaS that often uses subdomains). The suggested troubleshooting steps provided there (related to NEXT_PUBLIC_DASHBOARD_URL and NEXT_PUBLIC_API_URL environment variables, and file inspection) did not resolve the core issue for subdomain deployments.
Expected Behavior:
Upon successful login, the Set-Cookie header should correctly set the Domain attribute to match the current host URL (e.g., .zeabur.app or xxx.zeabur.app when deployed on a subdomain), allowing the session cookie to be set and the user to be logged in.
Proposed Solution/Root Cause:
Given the observations, it appears OpenPanel's cookie handling logic correctly sets the Domain attribute for zone apex deployments but fails to dynamically adapt or correctly identify the full subdomain for deployments on platforms like Zeabur. This leads to the Domain attribute was invalid error when the host is a subdomain. The application needs to correctly infer or accept the appropriate Domain for Set-Cookie based on the actual host from the request.
This issue significantly impacts the ease of deployment and wider adoption of OpenPanel on common PaaS platforms that utilize subdomains by default. Addressing this would greatly benefit users attempting to deploy OpenPanel flexibly.
Could you please investigate this Set-Cookie domain issue? Thanks!