2

I am trying to set up authenticated endpoints in my backend(Express/Node/Mongo with express-session) and can send a cookie to the client (Chrome Version 53.0.2785.143) in the Response Header but when I look for the cookie in the Dev Console under Application->Storage->Cookies->http://localhost:8100 it is not there, and so nothing is sent back to the server in subsequent Request Headers. However, when I test the code as written using Postman it appears that everything works meaning that the server sends a cookie on login and the cookie is returned when I GET authenticated endpoints.

Response Headers
HTTP/1.1 200 OK
X-Powered-By: Express
Vary: X-HTTP-Method-Override
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: DELETE, PUT, GET
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Content-Type: application/json; charset=utf-8
Content-Length: 1258
ETag: W/"4ea-X9Q0hp8ptccLVapzMZamYA"
set-cookie: connect.sid=s%3AyEaCZPUtH-rA0yQ3Osk-FNBHxQNYbFqp.gvwe%2FO0GSSfaX6i8Y29XD9vEo6ht2M%2FqL00wiFpntnU; Path=/
Date: Tue, 25 Oct 2016 01:28:59 GMT
Connection: keep-alive

Request Headers
POST /login HTTP/1.1
Host: localhost:8000
Connection: keep-alive
Content-Length: 51
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:8100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://localhost:8100/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

Request Payload
{"email":"test9876@gmail.com","password":"test123"}

Settings object for the session ID cookie:
{ path: '/', _expires: null, originalMaxAge: null, httpOnly: false }

session ID cookie name = 'connect.sid'.

Ionic2 service to login user.
public loginUser(user:Object):Observable<any>{
    let headers = new Headers();
    headers.append('Content-Type', 'application/json');
    return this.http.post('http://localhost:8000/login', JSON.stringify(user), {headers: headers})
            .map(this.extractData)
            .catch(this.handleError)
}

public extractData(res: Response) {
    console.log(res.headers); //cookie does not log here in response
    let body = res.json();
    return body || { };
}
user2232681
  • 839
  • 4
  • 16
  • 33

1 Answers1

6

Usually, chrome won't save cookies for localhost. Please disable your web security in chrome.

How to disable chrome web security ?

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir="C:/Chrome dev session" --args --disable-web-security
Community
  • 1
  • 1
kiran Gopal
  • 450
  • 5
  • 17
  • I'm running osX so I ran this in terminal but cookie is still not saved:$ open -a Google\ Chrome --args --disable-web-security --user-data-dir -enable-file-cookies – user2232681 Oct 25 '16 at 17:52
  • Ok, so I set the session options as follows and now Chrome is setting the cookie: app.use(session({ secret: 'your secret, store: new MongoStore({ mongooseConnection: mongoose.connection}), cookie: { httpOnly: false, secure: false }, resave: false, saveUninitialized: false })); I had included a value for the domain parameter but as part of my solution I removed it. – user2232681 Oct 25 '16 at 18:16
  • 1
    Ok, first of all "disabling web security" isn't an acceptable solution for me as it's not "production ready". Second of all, is chrome only not saving cookies for "localhost" or "127.0.0.1" or does it also refuse to save cookie when some other host name resolves to 127.0.0.1? – Michael Jul 22 '18 at 05:18
  • @user2232681 Interesting. I am having the exact same issue with express.js where as soon as I add the domain the cookie stops being stored. But in my case I can't remove the domain, because I need it to be the parent domain, e.g. ".example.com" when served by "my.example.com" – Michael Jul 22 '18 at 05:22