Safari localhost by default doesn't persist cookies created by H3 session

[bhouston]

Environment

Latest Safari and MacOS.

This library is being used by TanStack Start and I reported the issue there:

TanStack/router#3492

This affects both the v1 and v2 branches.

Reproduction

The reproduction is given on TanStack Start example here: TanStack/router#3492

But basically cookies will persist by default in Chrome and Firefox on MacOS but not Safari (and I suspect this also happens on iOS.)

Describe the bug

The culprit is in H3 on this line:

h3/src/utils/session.ts

Line 37 in 67e12ae

secure: true,

Basically DEFAULT_COOKIE is used as defaults in updateSession:

h3/src/utils/session.ts

Line 153 in 67e12ae

...DEFAULT_COOKIE,

and also in

h3/src/utils/session.ts

Line 217 in 67e12ae

...DEFAULT_COOKIE,

DEFAULT_COOKIE has secure = true.

But if you use http localhost on Safari in dev mode, cookies will not persist by default not, they will fail silently.

So if you do not specify a value for "cookie.secure" it will end up as true and thus Safari development mode will fail to save cookies.

Note be careful when setting 'secure' to true, as compliant clients will not send the cookie back to the server in the future if the browser does not have an HTTPS connection.

Maybe automatically change cookie secure setting based on process.env.NODE_ENV === 'production' or something similar? That is what I am suggesting to TanStack Start.

Additional context

Again, you can read my original issue over on TanStack Start here describing the issue: TanStack/router#3492

Logs