π Description
Labels: bug auth frontend critical
Affected Files: Login.tsx, Signup.tsx
What's broken
The backend correctly implements session-based authentication using express-session and passport.session(), and its CORS policy includes credentials: true. However, the frontend Axios requests in Login.tsx and Signup.tsx do not pass { withCredentials: true }.
Without this flag, browsers apply their default cross-origin behavior: they silently discard the Set-Cookie header on the login response, so connect.sid is never stored. Every subsequent request goes out without a session cookie, and the server treats the user as unauthenticated.
Impact
Login appears to succeed β the server responds with a 200 and sets the session cookie β but the session is immediately lost. Any follow-up request (fetching the user profile, accessing a protected route, etc.) returns 401 Unauthorized. The authentication system is entirely non-functional for all users.
Why this is easy to miss
The login request itself returns 200 OK, so the bug is not obvious from the network tab at first glance. The Set-Cookie header is present in the response β the browser just silently ignores it due to the missing credential flag. The failure only surfaces on the next authenticated request.
Fix
Add withCredentials: true to every Axios request in Login.tsx and Signup.tsx:
await axios.post('/api/auth/login', formData, { withCredentials: true });Or set it globally once in the Axios configuration so all requests include it by default β this is the safer option as it prevents the same issue from reappearing on future authenticated endpoints:
// e.g. in src/lib/axios.ts or at app entry point
axios.defaults.withCredentials = true;
The backend CORS config already has credentials: true β no server-side changes are needed.
π Description
Labels:
bugauthfrontendcriticalAffected Files:
Login.tsx,Signup.tsxWhat's broken
The backend correctly implements session-based authentication using
express-sessionandpassport.session(), and its CORS policy includescredentials: true. However, the frontend Axios requests inLogin.tsxandSignup.tsxdo not pass{ withCredentials: true }.Without this flag, browsers apply their default cross-origin behavior: they silently discard the
Set-Cookieheader on the login response, soconnect.sidis never stored. Every subsequent request goes out without a session cookie, and the server treats the user as unauthenticated.Impact
Login appears to succeed β the server responds with a
200and sets the session cookie β but the session is immediately lost. Any follow-up request (fetching the user profile, accessing a protected route, etc.) returns401 Unauthorized. The authentication system is entirely non-functional for all users.Why this is easy to miss
The login request itself returns
200 OK, so the bug is not obvious from the network tab at first glance. TheSet-Cookieheader is present in the response β the browser just silently ignores it due to the missing credential flag. The failure only surfaces on the next authenticated request.Fix
Add
withCredentials: trueto every Axios request inLogin.tsxandSignup.tsx:Or set it globally once in the Axios configuration so all requests include it by default β this is the safer option as it prevents the same issue from reappearing on future authenticated endpoints:
The backend CORS config already has
credentials: trueβ no server-side changes are needed.