fix(clerk-js): update session cookie domain assertions in integration tests

Update integration tests to expect session cookies on eTLD+1 (with
leading dot) instead of the exact hostname, matching the new behavior
where session cookies are set with an explicit domain attribute. Add
changeset.

Author: jacekradko

.changeset/fix-session-cookie-domain.md

@@ -0,0 +1,5 @@
+---
+'@clerk/clerk-js': patch
+---
+
+Set session cookies on the eTLD+1 domain to align with FAPI and prevent duplicate cookies across domain scopes that cause 401s after inactivity

integration/tests/sessions/root-subdomain-prod-instances.test.ts

@@ -108,7 +108,8 @@ test.describe('root and subdomain production apps @sessions', () => {
       // Check that the cookies are set as expected
       const tab0Cookies = await u[0].page.cookies();
       expect(tab0Cookies.get('__session')).toBeDefined();
-      expect(tab0Cookies.get('__session').domain).toEqual(hosts[0].split(':')[0]);
+      // The session cookie should be set on etld+1 (with leading dot from the domain attribute)
+      expect(tab0Cookies.get('__session').domain).toEqual('.' + hosts[0].split(':')[0]);
       expect(tab0Cookies.get('__session').value).toEqual(tab0Cookies.get('__session_*').value);
       expect(tab0Cookies.get('__session_*').name.split('__session_')[1].length).toEqual(8);
 
@@ -119,6 +120,9 @@ test.describe('root and subdomain production apps @sessions', () => {
       expect(tab0Cookies.get('__client_uat').domain).toEqual(tab0Cookies.get('__client_uat_*').domain);
       expect(tab0Cookies.get('__client_uat_*').name.split('__client_uat_')[1].length).toEqual(8);
 
+      // The session cookie domain should match the client_uat cookie domain (both on etld+1)
+      expect(tab0Cookies.get('__session').domain).toEqual(tab0Cookies.get('__client_uat').domain);
+
       await u[1].page.goto(`https://${hosts[1]}`);
       // user should be signed in already
       await u[1].po.expect.toBeSignedIn();
@@ -140,10 +144,10 @@ test.describe('root and subdomain production apps @sessions', () => {
       expect(tab0Cookies.get('__client_uat_*').domain).toEqual(tab1Cookies.get('__client_uat_*').domain);
       // There should be 1 base client_uat cookie and 1 suffixed variants
       expect(tab0Cookies.raw().filter(c => c.name.startsWith('__client_uat')).length).toEqual(2);
-      // the session cookie should be set on the domain of the app
-      // so, it can be accessed by the host server
-      expect(tab1Cookies.get('__session').domain).toEqual(hosts[1].split(':')[0]);
-      expect(tab1Cookies.get('__session').domain).not.toEqual(tab0Cookies.get('__session').domain);
+      // the session cookie should be set on etld+1
+      // so, it can be shared between all subdomains for the same instance
+      expect(tab1Cookies.get('__session').domain).toEqual('.' + hosts[0].split(':')[0]);
+      expect(tab1Cookies.get('__session').domain).toEqual(tab0Cookies.get('__session').domain);
     });
 
     test('signing out from the sub domains signs out the user from the root domain as well', async ({ context }) => {
@@ -250,7 +254,8 @@ test.describe('root and subdomain production apps @sessions', () => {
       expect(tab0Cookies.get('__client').httpOnly).toBeTruthy();
 
       expect(tab0Cookies.get('__session')).toBeDefined();
-      expect(tab0Cookies.get('__session').domain).toEqual(hosts[0].split(':')[0]);
+      // The session cookie should be set on etld+1 (with leading dot from the domain attribute)
+      expect(tab0Cookies.get('__session').domain).toEqual('.' + hosts[0].split(':')[0]);
 
       // ensure that only 2 client_uat cookies (base and suffixed variant) are visible here
       expect([...tab0Cookies.values()].filter(c => c.name.startsWith('__client_uat')).length).toEqual(2);
@@ -277,7 +282,8 @@ test.describe('root and subdomain production apps @sessions', () => {
       expect(tab1Cookies.get('__client').domain).toBe(`.clerk.${hosts[1].split(':')[0]}`);
 
       expect(tab1Cookies.get('__session')).toBeDefined();
-      expect(tab1Cookies.get('__session').domain).toEqual(hosts[1].split(':')[0]);
+      // The session cookie should be set on etld+1 (with leading dot from the domain attribute)
+      expect(tab1Cookies.get('__session').domain).toEqual('.' + hosts[0].split(':')[0]);
 
       // ensure that all client_uat cookies are still set on the root domain
       expect(tab1Cookies.get('__client_uat_*').domain).toEqual('.' + hosts[0].split(':')[0]);