how to send cookie and redirect at same time in response ? (serverless framework)

Question

Below is code i used to set cookie and redirect link at a single response but only either will work. If statusCode is 301/302 the redirection is happening but cookie is not set. If statusCode is 200 cookie is set but redirect is not working. Does anyone know how to use both in a single request ? Should i change the StatusCode some status code dont allow setting cookie ?

const response = {
    statusCode: 302,
        headers: {
          "Access-Control-Allow-Origin" : "*",
          "Access-Control-Allow-Credentials" : true,
          "Set-Cookie": 'data='+data,
          "Location":"http://localhost:8040/#/dashboard",
        },
        body: JSON.stringify({
          message: data,
        }),
      };
      callback(null, response);

I am using serverless framework of nodejs.

Here is a screenshot of the response

But in cookie noting is der

Apparently, it is possible to do: [Sending browser cookies during a 302 redirect](https://stackoverflow.com/questions/4694089/sending-browser-cookies-during-a-302-redirect). So, perhaps the issue is more about how to do it in your framework? I'd suggest you tell us exactly what framework you are using. — jfriend00, Jun 22 '17 at 14:19
I am using serverless framework... [serverless framework](https://serverless.com/) , I am able to achive them seperately but collectively its not occuring — VisheshRaju, Jun 22 '17 at 14:28
When you redirect, are you changing domain, port or protocol from what it was before? Or, are you only changing the path? — jfriend00, Jun 22 '17 at 14:42
"http://localhost:8040/#/dashboard" -- This is what i have mentioned and it directs like to a different domain. Just like opening a url in new tab — VisheshRaju, Jun 22 '17 at 14:46
I suspect that's your issue. Servers aren't allowed to set cookies in any random domain. — jfriend00, Jun 22 '17 at 14:50
New One ... thats y i used "domain=localhost" in set-cookie. Is that a problem ? — VisheshRaju, Jun 22 '17 at 14:51
The domain part of the cookie only works for domains that have the same root domain as the current domain, but differ only in subdomain, not for a completely different domains (for security reasons). You can't set a cookie in a completely different domain from the current request. Browsers won't accept it. — jfriend00, Jun 22 '17 at 14:56

score 6 · Accepted Answer · edited Oct 07 '21 at 08:46

6

Browsers won't accept a cookie for a completely different domain than the request was sent to. So, if you're redirecting to a new domain, you can't set a cookie for that new domain.

The domain part of the cookie works only for domains that have the same root domain, but differ only in subdomain.

This is taken from RFC 6265:

The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".

So, to recap. You can't set a cookie from your server for a completely different domain and the domain attribute in the cookie won't save you either. Under specialized circumstances, you can set a cookie for a different domain that is different only in sub-domain (e.g. shares the same root domain).

FYI, if your cookie every did get set appropriately, you'd have to change this:

"Set-Cookie": 'data='+data,

to this:

"Set-Cookie": 'data=' + JSON.stringify(data),

to properly serialize your object.

edited Oct 07 '21 at 08:46

Community

1
1

answered Jun 22 '17 at 14:57

jfriend00

683,504
96
985
979

I totaly understand your point. Yet, after removing the domain part also it does snot work, I edited the question – VisheshRaju Jun 22 '17 at 14:58
1

@user3649118 - So, do you now understand that you can't set a cookie for a completely different domain? The only specialized circumstance where you could do that is if both the original and new domain share a common root domain (e.g. differ only in sub-domain) and you use the `domain` attribute in the cookie. But, if the two domains don't share a root domain, you can't set a cookie for the other domain in any way. That's considered a giant security breach so browsers do not permit it. – jfriend00 Jun 22 '17 at 15:03
What if i don't use the domain attribute, then it must default set to same domain and stay for a default time. But i dint get any cookie of res domain. What could be the problem – VisheshRaju Jun 22 '17 at 15:05
@user3649118 - If you remove the `domain` attribute from the cookie, the cookie should be set on the original domain from the request, not on the domain you are redirecting to. – jfriend00 Jun 22 '17 at 15:05
Yes, but i don't see any cookie of original domain set after the redirect happenes – VisheshRaju Jun 22 '17 at 15:07
@user3649118 - Are you sure you're looking in the right spot for the cookie? If you remove the `domain` attribute from the cookie, then it is supported to set a cookie on the original domain in a 30x redirect and I've found many articles showing that it works. You do have to sometimes watch out for browser caching. I'd suggest looking in the network tab in the Chrome debugger to see EXACTLY what comes back from the redirect response (including all headers) to see if the cookie is or isn't there. – jfriend00 Jun 22 '17 at 15:10
@user3649118 - If you're doing things appropriately to set the cookie on the original domain (not on the redirected domain), then browsers will allow that. If the cookie does not show in the 302 response going back to the browser (you looked at the actual headers coming back to the browser), then it's an issue with your specific serverless framework which I cannot help with. But, I thought you wanted the cookie to be set on the new domain an you can't do that unless it differs only by subdomain. – jfriend00 Jun 22 '17 at 15:12
@user3649118 - Your image shows a cookie being sent back to the browser with the 302, but is has a `domain` attribute in it that is not your entire domain (it's only a sub-domain) and the browser doesn't save that cookie. That seems as expected. Also, your data for the cookie did not get JSON stringified properly. Are you doing the `domain` attribute on the cookie as it is or is your server-less environment add that? It does not look correct. And, if you want the cookie set on the original domain, you will have to remove the `domain` attribute. – jfriend00 Jun 22 '17 at 15:34
@user3649118 - FYI, this shows that your serverless environment is sending the cookie - it's just that the browser isn't saving it because of its content. – jfriend00 Jun 22 '17 at 15:38

score 0 · Answer 2 · answered Jun 22 '17 at 15:26

0

You're setting your cookie equal to data=[Object object] not the actual information.

You need to serialize your data object in that string.

answered Jun 22 '17 at 15:26

Sugarcaen

90
7

I even added text instead of object yet it only redirect and no cookie is set – VisheshRaju Jun 29 '17 at 07:13

how to send cookie and redirect at same time in response ? (serverless framework)

2 Answers2