Dify cross domain problem

[worldpathbreaker]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:)
• Please do not modify this template :) and fill in all the required fields.

Content

I have set up WEB_CPI_CORS.ALOW'ORIGINS=* CONSOLE-CORS-ALLOW_SRIGINS=* After this, the front-end service 192.168.1.188.3000 accesses 192.168.1.217:5001 and clicking login will refresh the page and redirect to the login page.

[dosubot[bot]]

Hi @worldpathbreaker! I'm Dosu and I’m helping the dify team.

This is a SameSite cookie issue, not just a CORS problem. Dify sets cookies with samesite="Lax" by default, which browsers block for cross-site requests when your frontend (192.168.1.188:3000) and backend (192.168.1.217:5001) are on different hosts.

To fix this, configure your backend .env:

WEB_API_CORS_ALLOW_ORIGINS=http://192.168.1.188:3000,*
CONSOLE_CORS_ALLOW_ORIGINS=http://192.168.1.188:3000,*
CONSOLE_API_URL=http://192.168.1.217:5001
CONSOLE_WEB_URL=http://192.168.1.188:3000
COOKIE_DOMAIN=

Critical: Leave COOKIE_DOMAIN empty for cross-host setups—don't set it to a domain or IP.

And configure your frontend .env.local:

NEXT_PUBLIC_API_PREFIX=http://192.168.1.217:5001/console/api
NEXT_PUBLIC_PUBLIC_API_PREFIX=http://192.168.1.217:5001/api

After making changes, clear your browser cookies and restart both services.

Better long-term solution: Use HTTPS for both frontend and backend (self-signed certificates work for local dev). This allows secure cookie handling for cross-origin setups.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}