11

Working with a project, where using cookie for user identification.

When user arrives, it calls the service (which is running in localhost) and the service sending cookie with the response header looks like below:

curl 'http://127.0.0.1:8000/api/v1.0/tracking' -X OPTIONS -H 'Access-Control-Request-Method: POST' -H 'Origin: http://local.com:8080' -H 'Access-Control-Request-Headers: content-type,x-forwarded-for' --compressed

The response header looks like below:

HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: 60
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, x-forwarded-for
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, PATCH, GET
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Set-Cookie: id=random_id_123_123; expires=Wed, 06-Dec-2017 10:57:36 GMT; Domain=.local.com; Path=/

And then after a specific user action, the app is sending following API request:

curl 'http://127.0.0.1:8000/api/v1.0/tracking?event=video_added&user_id=123123123' -H 'Origin: http://local.com:8080' -H 'Accept: */*' -H 'Referer: http://local.com:8080/' -H 'Connection: keep-alive' --compressed

The request header for the above request looks like below:

GET api/v1.0/tracking?event=video_added&user_id=123123123 HTTP/1.1
Host: 127.0.0.1:8000
Connection: keep-alive
Accept: */*
Origin: http://local.com:8080
User-Agent: My user agent
Referer: http://local.com:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

I was expecting the cookie (random_id_123_123) to be received with the first request as response header would be the request header for the second request.

The website is running on: http://local.com:8080 (which actually running on local machine and my vhost config pointing 127.0.0.1 local.com) and its being served by python SimpleHTTPServer.

The backend service which is setting the cookie is running on port 8000 in localhost also. Seems I have missed something during the implementation. Whats that?

Edit: Here is the code.

Alex Benz
  • 395
  • 4
  • 14

2 Answers2

10

Your issue is that cookies are only sent based on the domain. Your code has

var settings = {
  "crossDomain": true,
  "url": "http://127.0.0.1:8000/api/v1.0/tracking?event=video_added&tracking_id=123123123",
  "method": "GET",

}

The url is 127.0.0.1:8000 and it should be local.com:8000 if you want the cookies to be passed.

Tarun Lalwani
  • 142,312
  • 9
  • 204
  • 265
  • Edited the question. The service which is setting the cookie is running on 127.0.0.1:8000 and the website which is calling the API is running on 127.0.0.1:8080. – Alex Benz Dec 08 '17 at 13:54
  • 2
    See this thread https://stackoverflow.com/questions/1612177/are-http-cookies-port-specific. If you are browsing it as `local.com:8080` in browser then the api should also use `local.com:8000` because even if `local.com` is pointing to `127.0.0.1`, they are not same when it comes to cookie sharing – Tarun Lalwani Dec 08 '17 at 14:03
  • Also if you want you can even remove `response.cookies["id"]["domain"] = ".local.com"` and that also should help you. – Tarun Lalwani Dec 09 '17 at 05:16
  • This is the best answer on the internet right now – amol Apr 09 '21 at 18:45
  • yeah but what about cross origin cookie? I have tried everything without luck... Changed SameSite=None, Secure=true, httonly...etc and I cannot send the cookie. React/NetCoreApi. – Victor Callegari Oct 18 '21 at 20:06
2

Last time I checked, curl doesn't have enabled the cookies by default.

To do so you will need to:

  • Use the parameter -b /path/to/cookiejar to read cookies.
  • Use the parameter -c /path/to/cookiejar to write cookies.

So your requests should become:

curl -c cookiejar 'http://127.0.0.1:8000/api/v1.0/tracking' \
-X OPTIONS -H 'Access-Control-Request-Method: POST' \
-H 'Origin: http://local.com:8080' \
-H 'Access-Control-Request-Headers: content-type,x-forwarded-for' \
--compressed

And:

curl -b cookiejar 'http://127.0.0.1:8000/api/v1.0/tracking?event=video_added&user_id=123123123' \
 -H 'Origin: http://local.com:8080' \
 -H 'Accept: */*' \
 -H 'Referer: http://local.com:8080/' \
 -H 'Connection: keep-alive' --compressed
Stelios Joseph Karras
  • 463
  • 1
  • 7
  • 18