Cookie auth
Route cookie-based sessions through FlowMock without losing login state.
On this page
Lots of apps authenticate with cookies — Set-Cookie on login, browser sends them back automatically. That works great until you put a proxy in the middle.
FlowMock can forward cookies to staging and pass Set-Cookie responses back to your app. But there's a catch with custom domains: cookies are picky about which domain they're set for.
The problem
When your app talks directly to staging-api.yourcompany.com, cookies are scoped to that domain. Point your app at a FlowMock proxy URL (p.flowmock.dev or a custom domain), and cookie domains might not line up.
Symptoms:
- Login works on staging, breaks through the proxy
- Session cookies aren't sent on subsequent requests
Set-Cookieresponses get ignored by the browser
The fix: custom domain + CNAME
The reliable setup is a custom domain for your FlowMock proxy:
- Add a domain in FlowMock (e.g.
api-qa.yourcompany.com) - Create a CNAME record pointing to FlowMock's target
- Verify the domain in dashboard settings
- Point your app at
https://api-qa.yourcompany.cominstead of the default proxy URL
Now cookies can be scoped to a subdomain of your real domain. The browser treats it like talking to your own infrastructure.
When your API is on a subdomain (e.g. mock-api.yourcompany.com) but your frontend is on the apex (yourcompany.com) or another subdomain, FlowMock rewrites Set-Cookie responses to use your registrable root domain (e.g. Domain=yourcompany.com) so the session cookie is shared across subdomains.
What FlowMock forwards
By default, FlowMock forwards:
- Request cookies — sent by the browser to staging
- Response
Set-Cookie— passed back to your app - Auth headers —
Authorization, custom tokens, etc.
No stripping, no rewriting — unless you've configured redaction rules.
SameSite and Secure
Modern browsers enforce SameSite and Secure cookie attributes. If your staging cookies use SameSite=Strict, cross-site requests might not include them.
Through a custom domain on your own subdomain, cookies behave like same-site requests. That's why the CNAME setup matters.
Testing locally
For local dev, you might use a tunnel (ngrok, Cloudflare Tunnel) with HTTPS. FlowMock's connect guide in the dashboard walks through this. The key principle is the same: your app and the proxy URL need to agree on cookie domains.
Related
- Domain verification — CNAME setup and verification steps
- Connect troubleshooting — when something still doesn't work
- Getting started — basic proxy setup