'Why browser is not setting the cookie sent from my node js backend?
I'm trying to set a cookie from the backend server running at "api.mydomain.com" like this to the frontend running at "mydomain.com".
res.cookie('auth', token, {
domain: 'mydomain.com',
httpOnly: true,
signed: true,
secure: true,
sameSite:'none',
});
res.json({
//response object
});In the response header of the request, the "Set-Cookie" header is visible, but when I am checking the cookie storage for the frontend running on "mydomain.com" I cannot find the cookie.
Set-Cookie: auth=<...>; Domain=mydomain.com; Path=/; HttpOnly; Secure; SameSite=None
My backend server is running Node.js and the frontend is in React.
Solution 1:[1]
Well, you are getting this result since you have the httpOnly flag to true, and this is usually good to enhance security.
HTTP only cookies are not available via JavaScript code, the browser will send it automatically to the server without letting them to be available to the JavaScript code.
Solution 2:[2]
You should make httpOnly: false. The HTTP Only flag is used to prevent the cookie accessible from Javascript (But still can be accessed via HTTP Request). So you can store sensitive information securely that won't be compromised via XSS.
res.cookie('auth', token, {
domain: 'mydomain.com',
httpOnly: false,
signed: true,
secure: true,
sameSite:'none',
});
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Emanuele Scarabattoli |
| Solution 2 | BadPiggie |