Secure cookies and local JSS app development
This topic is only relevant if you're using the older, chromes-based method to integrate with Pages. You don't need to do any of this if you're using the newer, metadata-based integration added in JSS 22.1.
XM Cloud sets the Secure flag on all cookies by default.
This can impact JSS local development, as the proxied cookies are rejected by the browser if your JSS application is not running under HTTPS. The application does not track visits, and it might not apply content personalization rules.
To solve this problem you have two options:
-
Securing your local JSS app.
-
Un-securing the instance.
Securing your local JSS app
You can enable HTTPS in your local environment by using a local reverse proxy or a service such as ngrok.
If you are running XM Cloud in containers for development (recommended), you can use the Traefik reverse proxy provided in the docker-compose environment.
Official container-based templates come pre-configured with the Traefik reverse proxy.
If you are using ngrok, you must rewrite the Host header to your local hostname. For example:
ngrok http -host-header=rewrite 3000Un-securing the Sitecore instance
If the XM Cloud instance does not require secure cookies, you can expect your local environment to work without cookie-related issues.
We strongly recommend you do not change the following settings for a production instance.
To work around the secure cookies requirement, you can change the web.config as follows:
-
In the
httpCookiesconfiguration, setrequireSSLtofalseandsameSitetoUnspecified. -
In the
sessionStateconfiguration, setcookieSameSitetoUnspecified.