Is it possible to send secure cookies and decrypt them on a custom backend?

[cindygu4]

I'm currently trying to share secure session tokens across subdomains, and for NextAuth I'm using the database strategy (so no JWTs).

As of right now, I've set the options for my session token cookie to something similar to this example in the documentation except I have secure: false. This works when I try to send the session token from my frontend to an api on a subdomain (e.g. from example.com to api.example.com). However, when I set the secure option to false, it somehow is no longer included in the request. Does anyone know why this is the case?

Additionally, is it even possible to decrypt the secure session token cookie that is sent along with a request?

[balazsorban44]

From the docs you link to, make sure you read this

Setting this option to false in production is a security risk and may allow sessions to be hijacked if used in production. It is intended to support development and testing. Using this option is not recommended

your custom backend should create its own tokens. NextAuth.js tokens are only meant for the app itself.

[cindygu4]

From the docs you link to, make sure you read this

Setting this option to false in production is a security risk and may allow sessions to be hijacked if used in production. It is intended to support development and testing. Using this option is not recommended

Got it, thanks.

your custom backend should create its own tokens. NextAuth.js tokens are only meant for the app itself.

I was trying to use the next auth session token included in the request to authenticate a user in my MongoDB database before allowing them to complete actions. Would this not be possible with the secure session token cookie then?