Skip to content

Commit

Permalink
fix session cookie comprehension check
Browse files Browse the repository at this point in the history
  • Loading branch information
alexisintech committed Dec 16, 2024
1 parent bc8575f commit c13ba2d
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion docs/how-clerk-works/overview.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,9 @@ This example assumes that the user already signed up and their credentials are s
>
> ---
>
> This is a great test of your mastery of [how cookies work](/docs/how-clerk-works/cookies)! For security reasons, the domain of a cookie can only be set as the domain of the server that set the cookie. The server that is returning the request to your application is FAPI. For the client cookie, this is ok, since the client cookie is set on FAPI. However, FAPI cannot set a cookie with your app's domain because it's not your app. Remember, if your app is running at `example.com`, FAPI would run at `clerk.example.com`. Instead, FAPI it sends back the **JWT value** of the session cookie in its response, and Clerk's client side SDK picks it up and uses javascript to set the session cookie on your app directly, since the javascript is running on your app's domain.
> This is a great test of your mastery of [how cookies work](/docs/how-clerk-works/cookies)!
>
> The server that is returning the request to your application is FAPI. For the **client cookie**, this is ok, since the **client cookie** needs to be set on FAPI. However, the **session cookie** needs to be set on your app's domain and remember, **the domain of a cookie can only be set as the domain of the server that set the cookie**. So FAPI cannot set the domain of your **session cookie** to your app's domain. Instead, FAPI returns the **JWT value** of the session cookie in its response, and when the Clerk client-side SDK integrated in your app receives the response, it gets the **JWT value** and uses JavaScript to set the **session cookie** on your app directly, since the JavaScript is running on your app's domain.
<Video
src="/docs/images/how-clerk-works/hybrid-auth.mp4"
Expand Down

0 comments on commit c13ba2d

Please sign in to comment.