Express Session + Angular: can't access connect.sid cookie

Question

There is something I really don't understand here :

I have express running on server-side, with session initialized.

app.use(express.session({
    secret: 'mySecret'
    })
}));

As mentionned in this post Confusion over session IDs using Connect, it sends a connect.sid cookie to any request.

On the client-side, I want to read the content of this cookie, and it feels impossible :

angular.module('myApp.controllers', ['ngCookies','myApp.services'])
.controller('homeCtrl', function($scope, $cookies) {
    $cookies['test']='myValue';
    console.log($cookies);
});

When I run this, I get this object in the log : Object {test: "myValue"}, whereas if I go to ressources tab in Chrome debugger, I can see both cookies :

Screenshot of Ressources tab in chrome debugger

What am I doing wrong ?

Is it impossible to access server-made cookies from angular ?

Thanks

lupin · Accepted Answer · 2013-03-08T19:23:58.537

15

By default connect session uses a httpOnly cookie (look here).

Reading the cookie is always forbidden when httpOnly flag is set.

Try to disable the httpOnly flag:

app.use(express.session({
    secret: 'mySecret',
    cookie: { httpOnly: false }
}));

edited Mar 08 '13 at 19:23

answered Mar 08 '13 at 18:54

lupin

174
1
3

gregorius · Answer 2 · 2014-03-28T13:19:58.797

7

Be careful that you are not fixing one problem but creating another, and worse problem. The httpOnly flag is usually used to defend against XSS attacks. See this link at OWASP for more details: https://www.owasp.org/index.php/HttpOnly

Interesting story about this here: http://blog.codinghorror.com/protecting-your-cookies-httponly/

edited Mar 28 '14 at 13:19

answered Mar 28 '14 at 12:44

gregorius

131
2
4

Answer is not a comment. Gain some reputation and then use comments for such response. – Michal S Mar 28 '14 at 13:13

Express Session + Angular: can't access connect.sid cookie

2 Answers2