Help

[LDM-cyber]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:)
• Please do not modify this template :) and fill in all the required fields.

1. Is this request related to a challenge you're experiencing? Tell me about your story.

In a front-end and back-end service separation scenario, the front-end page runs on my computer, while the back-end runs on the server. I set "NEXT_PUBLIC_COOKIE_DOMAIN=1" as described in the documentation, but why can't I still log in to the front-end?

2. Additional context or comments

No response

[dosubot[bot]]

Hi @LDM-cyber! I'm Dosu and I’m helping the dify team.

The login issue in your split front-end/back-end setup is likely due to cookie domain configuration and how environment variables are handled during build vs runtime.

For cross-subdomain authentication, you need to set COOKIE_DOMAIN=yourdomain.com (replace with your actual top-level domain) in your backend's api/.env and NEXT_PUBLIC_COOKIE_DOMAIN=yourdomain.com in your frontend's web/.env—not just 1—so both sides agree on the domain for authentication cookies. Both services must be under the same top-level domain to share cookies reliably. After updating these, restart both services and verify in browser DevTools that CSRF, access, and refresh cookies are set with the correct domain and included in API requests. If you use Docker, make sure these variables are set at build time, not just runtime, since Next.js only reads them during the build phase. Setting them in docker-compose.yml after the image is built has no effect; you must rebuild the frontend image with the correct variables included at build time. See this issue and explanation.

Common mistakes include using IP addresses instead of domains, setting environment variables only at runtime, or not restarting services after changes. Also, check that your reverse proxy or CDN isn’t stripping cookies or headers, and that HTTPS is properly configured across all subdomains.

If login still fails, gather browser and backend logs and confirm that the environment variables are present during the frontend build process. For more details, see the official guidance and recent fixes:

• COOKIE_DOMAIN and NEXT_PUBLIC_COOKIE_DOMAIN usage
• Build-time environment variable requirements
• Recent CSRF/cookie domain fixes

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}