3

I'm doing a /login POST request with the flag withCredentials = true. And the response is the expected and if I inspect with Chrome Dev Tools -> Network I can see a response header named Set-Cookie with this content:

Set-Cookie:JSESSIONID=1944a870623c3499ea938df17a5g; Path=/; Secure; HttpOnly

But...

The cookie is not created in the browser (if I refresh the page neither). BTW: in Postman the cookie is created...

I'm doing the requests via Angular v.2.4.2

In theory the cookie will be created automatically, isn't it? BTW I can't access neither to the Set-Cookie response header:

const options = new RequestOptions({ headers, withCredentials: true });
const body = `username=${username}&password=${password}`;

return this.http.post(`${host}${basePath}/login`, body, options)
  .do(r => {
    console.log(r.headers.get('Set-Cookie')); // Nothing… :( Only I can access to Content-Type header
  })
  .map(r => r.json())

I imagine that this is normal if in theory the cookie will be created automatically, but is not created....

Why the cookie is not created? How can I solve it?

Thank you so much!

Aral Roca
  • 5,442
  • 8
  • 47
  • 78

1 Answers1

4

The fact, that you can't access cookie via javascript, does not mean it is not created.

Http-only cookie CAN'T be reached from javascript (this is protection against XSS attack)

Your browser will send given cookie automatically with every request which contains withCredentials: true.

I had similar problem few days ago. Take a look here:

Angular2 http post - how to send Authorization header?

Unable to exchange cookie between Spring and Angular2

More about httponly cookies and XSS

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies https://www.owasp.org/index.php/HttpOnly

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Community
  • 1
  • 1
Maciej Treder
  • 11,866
  • 5
  • 51
  • 74
  • But if I inspect with `Chrome -> Application -> Cookies`, not appear nothing... Is this normal? :/ ! – Aral Roca Jan 19 '17 at 12:20
  • Yes. It is expected behavior. For the same reason. – Maciej Treder Jan 19 '17 at 12:21
  • 1
    I have edited my answer, take a look now. I would really appreaciate if you would mark my answer as the one which solve your problem and/or give some points on solution which I have sent :) – Maciej Treder Jan 19 '17 at 12:23
  • But after `/login` if I do more requests the request headers are the same! Maybe should be the `Set-Cookie` header to tell the server that I logged in? How can I put this header if I can't access to the cookie? WTF! hah – Aral Roca Jan 19 '17 at 12:32
  • `Set-Cookie ` is header sent ONLY by server. It inform browser to create cookie with given value. Browser will attach cookie to EVERY request to given origin/server (except http-only cookies). If you want to sent http-only cookie as well, you need to use `withCredentials`. Please, check out my answer here: http://stackoverflow.com/questions/41568828/unable-to-exchange-cookie-between-spring-and-angular2 – Maciej Treder Jan 19 '17 at 12:38
  • I confused now. `withCredentials = true` is necessary to be in all requests that require login excepts `/login`? Or only in the `/login`? – Aral Roca Jan 19 '17 at 12:41
  • If your user is treated as loggedIn, depending on cookie - withCredentials should be set to true for EVERY request. What I would suggest you is to take a look at OAuth2 specification. This is really nice standard, of authorizing requests in web applications. https://aaronparecki.com/2012/07/29/2/oauth2-simplified – Maciej Treder Jan 19 '17 at 12:50