How Do I Keep JWT Refresh Tokens In Cross-Origin Cookies

Question

I have a project where I've built a personal library app using the MERN stack, but the server and client are on different URLs on Render.

I'm storing a JWT refresh token in secure HTTP cookies that have the same-site property set to false. But I read under issues in the Edge browser that cross-origin cookies will be blocked in a future update.

How can I resolve this issue? Is there any way for me to address the privacy concerns and avoid having to remove the cross-origin cookie?

Would PKCE help my issue? I remember reading that some ways people use to store JWT refresh tokens aren't secure. Is PKCE included in those?

Answer 1

Hi @Osman Zakir ,

In my opinion, you can take a look at the CHIPS proposal (Cookies Having Independent Partitioned State). The CHIPS proposal offers a new but more limited escape hatch– a developer may opt-in to partitioning their cookie so that it’s no longer a “3rd party cookie”, it’s instead a partitioned cookie. It then workarounds the issue of third-party cookies, which will be blocked in the future.

CHIPS is now supported by Microsoft Edge.

For more information, you can refer to this MDN doc.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards,

Shijie Li