From 5cd291966917a4cf2558e2ac46e76e2a42da618c Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Wed, 24 Sep 2025 16:33:46 -0500 Subject: [PATCH 1/5] Adds activeContext cookie handler with proper secure attribute --- .../src/core/auth/AuthCookieService.ts | 5 +++-- .../src/core/auth/cookies/activeContext.ts | 20 +++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 packages/clerk-js/src/core/auth/cookies/activeContext.ts diff --git a/packages/clerk-js/src/core/auth/AuthCookieService.ts b/packages/clerk-js/src/core/auth/AuthCookieService.ts index 6cbdd8207e7..32f9010bd5a 100644 --- a/packages/clerk-js/src/core/auth/AuthCookieService.ts +++ b/packages/clerk-js/src/core/auth/AuthCookieService.ts @@ -9,6 +9,7 @@ import type { Clerk, InstanceType } from '@clerk/types'; import { clerkMissingDevBrowserJwt } from '../errors'; import { eventBus, events } from '../events'; import type { FapiClient } from '../fapiClient'; +import { createActiveContextCookie } from './cookies/activeContext'; import type { ClientUatCookieHandler } from './cookies/clientUat'; import { createClientUatCookie } from './cookies/clientUat'; import type { SessionCookieHandler } from './cookies/session'; @@ -75,7 +76,7 @@ export class AuthCookieService { this.clientUat = createClientUatCookie(cookieSuffix); this.sessionCookie = createSessionCookie(cookieSuffix); - this.activeCookie = createCookieHandler('clerk_active_context'); + this.activeCookie = createActiveContextCookie(); this.devBrowser = createDevBrowser({ frontendApi: clerk.frontendApi, fapiClient, @@ -232,7 +233,7 @@ export class AuthCookieService { const contextValue = `${sessionId}:${orgId}`; if (contextValue !== ':') { - this.activeCookie.set(contextValue); + this.activeCookie.set(contextValue, {}); } else { this.activeCookie.remove(); } diff --git a/packages/clerk-js/src/core/auth/cookies/activeContext.ts b/packages/clerk-js/src/core/auth/cookies/activeContext.ts new file mode 100644 index 00000000000..1313035057c --- /dev/null +++ b/packages/clerk-js/src/core/auth/cookies/activeContext.ts @@ -0,0 +1,20 @@ +import { createCookieHandler } from '@clerk/shared/cookie'; + +import { getSecureAttribute } from '../getSecureAttribute'; + +export const createActiveContextCookie = () => { + const handler = createCookieHandler('clerk_active_context'); + const attributes = { Secure: getSecureAttribute('None') }; + + return { + set: (value: string) => { + handler.set(value, attributes); + }, + get: () => { + return handler.get(); + }, + remove: () => { + return handler.remove(attributes); + }, + }; +}; From 37bbf87caa53336722fe6cc228af5191b654338a Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Wed, 24 Sep 2025 16:34:35 -0500 Subject: [PATCH 2/5] adds changeset --- .changeset/lucky-showers-guess.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/lucky-showers-guess.md diff --git a/.changeset/lucky-showers-guess.md b/.changeset/lucky-showers-guess.md new file mode 100644 index 00000000000..3a21df15d8d --- /dev/null +++ b/.changeset/lucky-showers-guess.md @@ -0,0 +1,5 @@ +--- +'@clerk/clerk-js': patch +--- + +Update active context cookie to properly set `Secure` attribute. From 1bede38b0b4bd6f6ee8c4e1d8f41f496ec8ae0d1 Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Wed, 24 Sep 2025 16:42:04 -0500 Subject: [PATCH 3/5] remove code per comment --- packages/clerk-js/src/core/auth/AuthCookieService.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/packages/clerk-js/src/core/auth/AuthCookieService.ts b/packages/clerk-js/src/core/auth/AuthCookieService.ts index 32f9010bd5a..99f5f64a362 100644 --- a/packages/clerk-js/src/core/auth/AuthCookieService.ts +++ b/packages/clerk-js/src/core/auth/AuthCookieService.ts @@ -1,6 +1,6 @@ import type { createClerkEventBus } from '@clerk/shared/clerkEventBus'; import { clerkEvents } from '@clerk/shared/clerkEventBus'; -import { createCookieHandler } from '@clerk/shared/cookie'; +import type { createCookieHandler } from '@clerk/shared/cookie'; import { setDevBrowserJWTInURL } from '@clerk/shared/devBrowser'; import { is4xxError, isClerkAPIResponseError, isClerkRuntimeError, isNetworkError } from '@clerk/shared/error'; import { noop } from '@clerk/shared/utils'; @@ -85,10 +85,6 @@ export class AuthCookieService { } public async setup() { - // Cleanup old cookie - // TODO: This should be removed after 2025-08-01 - createCookieHandler('clerk_active_org').remove(); - if (this.instanceType === 'production') { return this.setupProduction(); } else { From bee3fa6a383068a4a86d745d1a0b9be51c920ca3 Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Wed, 24 Sep 2025 16:43:24 -0500 Subject: [PATCH 4/5] lowercase secure --- packages/clerk-js/src/core/auth/cookies/activeContext.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/clerk-js/src/core/auth/cookies/activeContext.ts b/packages/clerk-js/src/core/auth/cookies/activeContext.ts index 1313035057c..36dea5b4339 100644 --- a/packages/clerk-js/src/core/auth/cookies/activeContext.ts +++ b/packages/clerk-js/src/core/auth/cookies/activeContext.ts @@ -4,7 +4,7 @@ import { getSecureAttribute } from '../getSecureAttribute'; export const createActiveContextCookie = () => { const handler = createCookieHandler('clerk_active_context'); - const attributes = { Secure: getSecureAttribute('None') }; + const attributes = { secure: getSecureAttribute('None') }; return { set: (value: string) => { From 77bf8ff9f9b5d6292cc0a983598c222c9886b694 Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Wed, 24 Sep 2025 16:44:04 -0500 Subject: [PATCH 5/5] Apply suggestion from @brkalow --- packages/clerk-js/src/core/auth/AuthCookieService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/clerk-js/src/core/auth/AuthCookieService.ts b/packages/clerk-js/src/core/auth/AuthCookieService.ts index 99f5f64a362..932b639b1ba 100644 --- a/packages/clerk-js/src/core/auth/AuthCookieService.ts +++ b/packages/clerk-js/src/core/auth/AuthCookieService.ts @@ -229,7 +229,7 @@ export class AuthCookieService { const contextValue = `${sessionId}:${orgId}`; if (contextValue !== ':') { - this.activeCookie.set(contextValue, {}); + this.activeCookie.set(contextValue); } else { this.activeCookie.remove(); }