Secure cookies and local JSS app development
From Sitecore 10.0.1 onwards, Sitecore sets the Secure
flag on all cookies by default.
This can impact JSS local development, as the proxied Sitecore cookies (including analytics cookies) are rejected by the browser if your JSS application is not running under HTTPS. The application does not track visits, and it might not apply content personalization rules.
To solve this problem you have two options:
-
Securing your local JSS app.
-
Un-securing the Sitecore instance.
Securing your local JSS app
You can enable HTTPS in your local environment by using a local reverse proxy or a service such as ngrok.
If you are running Sitecore in containers for development (recommended), you can use the Traefik reverse proxy provided in the docker-compose
environment.
The Sitecore Containers template for Next.js is pre-configured with the Traefik reverse proxy.
If you are using ngrok, you must rewrite the Host
header to your local hostname. For example:
ngrok http -host-header=rewrite 3000
Un-securing the Sitecore instance
If the Sitecore instance does not require secure cookies, you can expect your local environment to work without cookie-related issues.
We strongly recommend you do not change the following settings for a production Sitecore instance.
To work around the secure cookies requirement, you can change the Sitecore web.config
as follows:
-
In the
httpCookies
configuration, setrequireSSL
tofalse
andsameSite
toUnspecified
. -
In the
sessionState
configuration, setcookieSameSite
toUnspecified
.