DEV Community


Posted on

How I fixed this one weird bug!

I run a small web app for my company, which acts as a CRM + dashboard, using Nuxt + Nhost and hosted on Vercel.

This morning, I pushed a small update and sat back comfortable in the assurance of automatic continuous deployment taking care of everything.

But I wouldn't be writing this if it had all gone smoothly, would I?

The first time I noticed something was wrong, was when the dashboard redirected to the login page. (It's set up to auto-refresh on every update). I went to log back in, but I noticed something odd: Instead of being, the url was pointing to Why's that such a big deal? Because I was using as the cookie domain for authentication!

It turns out that buried in the Vercel changelog is this post:

As part of our strategy for making them simpler, we're starting with applying a consistent format on February 20th 2021:
Custom Domains and Automatic URLs ending in will instead end in

  • Automatic Deployment URLs like will gain the slug of the owner Vercel scope to match Automatic Branch URLs:
  • Automatic Branch URLs like will lose their second subdomain level in favor of a dash:
  • Automatic Project URLs like and Automatic Team Member URLs like will be adjusted like Automatic Branch URLs.

Now they tell me!

It should be as simple as changing the cookie-setting code to use as the domain:

return this.cookies.set(`${this.options.prefix}.${name}`, value, {
-  domain: !this.isDev ? '' : 'localhost',
+  domain: !this.isDev ? '' : 'localhost',
  path: '/',
  sameSite: false,
Enter fullscreen mode Exit fullscreen mode

But this didn't work. What was going on? I was doing something wrong, but I couldn't work it out because it had been working fine before with I set a bunch of breakpoints around where cookies were being set, but they seemed to fail silently to no cookie being set. I even tried setting cookies manually in the browser console:

> document.cookie = "my=cookie;"
> document.cookie

> document.cookie = ";;"
> document.cookie

> document.cookie = ";;"
> document.cookie
Enter fullscreen mode Exit fullscreen mode

Very strange - I couldn't set cookies at all, either through cookie-universal-nuxt or through plain JS document.cookie, if the cookie domain was

I had a niggling feeling that there was something stopping being used, because then surely I'd be making a cookie that applied to all Vercel URLs. Previously, was another level of subdomains, so it might have had some sandboxing. I knew you can't make cookies that apply to .com or, so maybe I should refresh my understanding of that. This train of thought led me to this very helpful Mozilla Wiki page. I quote:

Previously, browsers used an algorithm which basically only denied setting wide-ranging cookies for top-level domains with no dots (e.g. com or org). However, this did not work for top-level domains where only third-level registrations are allowed (e.g. In these cases, websites could set a cookie for which will be passed onto every website registered under
Clearly, this was a security risk as it allowed websites other than the one setting the cookie to read it, and therefore potentially extract sensitive information.
Since there is no algorithmic method of finding the highest level at which a domain may be registered for a particular top-level domain (the policies differ with each registry), the only method is to create a list of all top-level domains and the level at which domains can be registered. This is the aim of the effective TLD list.

So I wonder if this list has anything interesting in it? Sure enough...

  // Vercel, Inc :
  // Submitted by Connor Davis

Great! That must be what's going on! Now I had to commission a third-level subdomain using the provided. This would then use auth on without polluting anything on the main domain.

Sure enough, with the cookie URL reconfigured, the subdomains all set up, and a bit of luck, I could now log on without problems. The last step was changing everyone's bookmarks, and updating the dashboard pages!

Top comments (3)

njbarrett profile image
Nick Barrett

Man you are an absolute life saver, as I've been dealing with this for the last 3 hours with no dice. Legendary

anujsachan1990 profile image
Anuj Sachan

saved my time.

goodpickle profile image
Robert Jensen

Just what I needed! Thanks for the great explanation.