How do I set cookie from localhost

Question

I've read through the suggestions here. I'm making an XHR request to my service in order to get the cookie. I've tried ensuring that the Domain is missing from the cookie (not just an empty string) -

Set-Cookie: file-auth=MTU0ODIzODU1M3xEdi1CQkFFQ180SUFBUXdCREFBQUh2LUNBQUVGZG1Gc2RXVVRaRzkzYm14dllXUXRZWFYwYUc5eWFYcGxaQT09fPzBg_EP9S6wn_7gAz0iUtS1cOOaeo78VAMdD5xxhunF; Path=/; Expires=Thu, 24 Jan 2019 10:15:53 GMT

I've tried adjusting my host file so that I make the request to app.localhost.com:12350 and then specifying the domain in the Set-Cookie header -

Set-Cookie: file-auth=MTU0ODIzODg4NnxEdi1CQkFFQ180SUFBUXdCREFBQUh2LUNBQUVGZG1Gc2RXVVRaRzkzYm14dllXUXRZWFYwYUc5eWFYcGxaQT09fCdT3LhVhHIA6mPq_65ndnP1XFD2IEzLpxCmiaosHZA5; Path=/; Domain=app.localhost.com; Expires=Thu, 24 Jan 2019 10:21:26 GMT

My initial XHR (GET) request is to http://app.localhost.com:12350/test/file_service/setcookie

with the following headers

GET /test/file_service/setcookie HTTP/1.1
Host: app.localhost.com:12350
Connection: keep-alive
Accept: application/json
Origin: http://app.localhost.com
Authorization: <MY-JWT>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Referer: http://app.localhost.com/tutorials
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

And the response comes back -

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://app.localhost.com
Access-Control-Expose-Headers: Content-Length
Content-Encoding: gzip
Set-Cookie: file-auth=MTU0ODIzODg4NnxEdi1CQkFFQ180SUFBUXdCREFBQUh2LUNBQUVGZG1Gc2RXVVRaRzkzYm14dllXUXRZWFYwYUc5eWFYcGxaQT09fCdT3LhVhHIA6mPq_65ndnP1XFD2IEzLpxCmiaosHZA5; Path=/; Domain=app.localhost.com; Expires=Thu, 24 Jan 2019 10:21:26 GMT
Vary: Accept-Encoding
Vary: Origin
Date: Wed, 23 Jan 2019 10:21:26 GMT
Content-Length: 23
Content-Type: application/x-gzip

But then when make a new GET request to http://app.localhost.com:12350/test/file_service/file? (not XHR - I'm just clicking a link in the browser), the cookie isn't sent. Looking in the cookies tab on the chrome debugger, there's nothing set for the domain

How do I make this work?

Answer 1

XMLHttpRequest has an attribute withCredentials which defaults to false. This attribute defines whether a Set-Cookie header will be honored for cross origin requests.

If you're hosting the page at http://app.localhost.com but calling http://app.localhost.com:12350 to get the cookie, the Set-Cookie header will be ignored if the withCredentials attribute is not set to true.

Setting withCredentials will depend on how you're making the request. In older browsers -

var client = new XMLHttpRequest()
client.open("GET", "./")
client.withCredentials = true

But a more modern solution is -

fetch("./", { credentials:"include" }).then(/* … */)

See here