I have an app that stores id-tokens in a httpOnly cookie. When I'm testing locally i'm setting "domain: localhost" so I can send the cookie to localhost plus all its subdomains. When I start up two apps, one on localhost:8080 where I get the cookie from, and one on localhost:8050, the cookie is not added to the request on calls to localhost:8050, only calls to localhost:8080. What is missing here? Is the "domain: localhost" not enough? Do I have to set "credentials: include" also?
Asked
Active
Viewed 173 times
0
-
Yes, because differing ports means two separate origins. – Jun 12 '18 at 10:14
-
@ChrisG Okey, thanks. Is there a way I can go about simulating same origin from 2 localhost to test that the cookie is actually sent to both servers? – Slagathor Jun 12 '18 at 10:16
-
@Slagathor - When you say not sent "...with all requests..." do you mean ajax? If so: https://stackoverflow.com/questions/50811069/browser-not-sending-cookies-via-ajax-but-otherwise-its-perfect and https://stackoverflow.com/questions/36365409/setting-cookies-with-cors-requests Although cookies are not port-specific, ajax calls across ports are cross-origin, which require enabling (enabling the requests at all, and also enabling cookies). – T.J. Crowder Jun 12 '18 at 10:17
-
Yeah, I mean ajax, and by all request, I mean that usually cookies are auto set on header with request to same origin. I have enabled cross-origin request by adding cors, but I guess the cookie is not included since its a another origin then what it came from? @T.J.Crowder – Slagathor Jun 12 '18 at 10:24
-
@T.J.Crowder Thanks for your help. I figured it out. I had to set "credentials: include" for the request, and then it sent the cookie to both origins. not as safe as same origin though. – Slagathor Jun 12 '18 at 10:48