To ensure strong security in Corbado’s session management, a combination of techniques is employed. However, it’s important to note that not all of these techniques function properly during local development. Each exceptional case is clarified on this page.

In development mode, there is no cookie dropped for the refresh-token. Instead, the refresh-token is stored in the LocalStorage of the browser.

The reason behind is that some modern browsers (e.g. Safari) have stricter policies against third-party cookies in order to avoid tracking across the web (e.g. with Safari’s Intelligent Tracking Prevention (ITP)).

When developing locally the host (e.g. on http://localhost) differs from the one of the Frontend API (e.g. https://<project ID>.frontendapi.cloud.corbado.io). The browser sees this as third-party and does not send any cookies (e.g. in session refresh process).

However, when you set up a CNAME on production, you’re aliasing your host to another host, making cookies appear as first-party rather than third-party.

Was this page helpful?

OAuth2 comparisonPasskeys Analyzer