1

Good day! There is a node.js server, which sends cookie after authorization. Server response contains "Set-cookie", but the browser doesn't take them. Requests to server send by JQuery's AJAX.

Server:

var express = require('express'),
    http = require('http'),
    app = express(),
    mysql = require('mysql'),
    cookie = require('cookie');
app.use(function (req, res, next) {
    res.setHeader('Access-Control-Allow-Origin', '*');
    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, HEAD');
    res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization');
    res.setHeader('Access-Control-Allow-Credentials', true);
    next();
});
app.post('/login', jsonParser, (request, response) => {
    if(!request.body) return response.sendStatus(400);

    var dbHandler = mysql.createPool({
        database : config.get('db:database'),
        host     : config.get('db:host'),
        user     : config.get('db:user'),
        password : config.get('db:password'),
        insecureAuth: config.get('db:insecureAuth'),
    });
    getUser(dbHandler, request.body.username, request.body.password, function(id){
        getPlace(dbHandler, id, function(place){
            getItems(dbHandler, place['id'], place['url'], function(items){
                response.cookie('logined', true, { expires: new Date(Date.now() + 1000*60*60*24), domain:'localhost:8000/', httpOnly: true });
                response.writeHead(200, {'Content-Type': 'text/html; charset=utf8'});
                response.send('Ok');
            });
        });
    });
})
app.listen(config.get('port'), () => {
    console.log('server is listening on', config.get('port'));
})

Screenshot - Response in browser enter image description here

Deke
  • 4,451
  • 4
  • 44
  • 65
gunter
  • 97
  • 6
  • What do you mean "browser doesn't take them"? Your screen shot shows the cookie arriving back with the response in the browser just fine. – jfriend00 Nov 24 '17 at 09:09
  • FYI, your `domain` setting for the cookie may not be correct. There certainly shouldn't be a path separator in the domain and I'm not sure a port belongs there either. You can leave that out and the cookie will take the domain that the request it was set from. – jfriend00 Nov 24 '17 at 09:11
  • Browser does not memorize them. I use cookies for option "Remember me". But there are not cookie files on my site. – gunter Nov 24 '17 at 09:14
  • It's post from server. And it didn't work. I added domain, age and HttpOnly options. Set-Cookie:logined=true; Max-Age=604800; Domain=localhost:8000/; HttpOnly – gunter Nov 24 '17 at 09:20
  • Well, the cookies are set to `httpOnly` so they should only be sent to the server, not accessible to client-side Javascript. And, as I said above, you need to fix the `domain` setting because it is not correct to have a `/` in it and I don't know if a port is allowed or not because cookies are not port limited. So, probably the first thing to do is to fix or remove the domain setting entirely. – jfriend00 Nov 24 '17 at 09:51
  • You can see from [this post](https://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain) that localhost is not something you can use as a domain for cookies. So, for the purposes of your test, just remove the `domain` property entirely from your cookie. – jfriend00 Nov 24 '17 at 09:53
  • I deleted `domain`, result is the same – gunter Nov 24 '17 at 09:55
  • How do you ***know*** the cookie isn't being saved? Do you check on the server for the cookie value on another request from that same client to the same server using the same URL? That's how you should check if the cookie is there or not. – jfriend00 Nov 24 '17 at 10:00
  • I checked cookiefiles im my browser. Backend is normal, cookies creates in node.js. – gunter Nov 24 '17 at 10:09
  • Well, frankly I can't tell if your test to see if the cookie is there is flawed or if the cookie isn't actually there. Since the only use for the cookie is to have it sent back to your server, you should test if it is sent back to your server when you make another request to the same host before the expiration. That will tell you conclusively if you have the cookie you want. An httpOnly cookie is of no use on the client anyway since you can't access it there so test what really matters - whether the cookie is sent with subsequent requests to the same host. If it is there, you're all good. – jfriend00 Nov 24 '17 at 10:17

0 Answers0