Using session cookies in the node.js request module

Question

I'm trying to use request to make API calls to a Fortigate device. The login method is to do a POST against /logincheckwith the credentials and then use the response cookies for subsequent API calls.

That part works fine and I do get the cookies. However, I can't see the Cookie header when I make the second call and the cookieJar looks empty.

Here's the code:

const config = require('./config/config');
const request = require('request');  

var url = `${config.fortigate.adminURL}/logincheck`;
var cookieJar = request.jar();

request.post(
    {
        url : url,
        headers : {

            "Accept": "application/json"
        },
        form: {
            username: config.fortigate.user,
            secretkey: config.fortigate.password
        },
        jar: cookieJar
    },
    function (error, response, body) {
      
        url = `${config.fortigate.adminURL}/api/v2/monitor/router/ipv4/`;

        request({
            url : url,
            headers : {
                "Accept": "application/json"
            },
            jar: cookieJar
        },
        function (error, response, body) {
            console.log(response.request.headers);
            console.log(response.statusCode);
            console.log(cookieJar);
        });
    }
);

Output of the console.log commands below:

Headers: { Accept: 'application/json' }
Status code: 401
RequestJar {
  _jar:
   CookieJar {
     enableLooseMode: true,
     store: { idx: { '192.168.1.99': { '/': {} } } } } }

I've read the manual here https://github.com/request/request but still can't get it to work.

Also found another post which does have a solution, but other people also has issues with it: How to maintain a request session in NodeJS

Surely I have missed something, but what? Any ideas?

Update

The cookies expires 1969. Maybe the cookie jar does not persist in memory cookies between requests?

Cookie="APSCOOKIE_2739400828="0%260"; Expires=Fri, 09 May 1969 12:47:54 GMT; Path=/; Secure; SameSite=Strict; hostOnly=true; aAge=6ms; cAge=6ms"

Can you check in see whether you're getting the response cookies from the first API call? — Shobhit Chittora, Apr 27 '19 at 05:08

score 1 · Answer 1 · answered Apr 27 '19 at 13:51

Not an answer though, but the below code works fine for me.

const express = require('express')
const app = express();
const request = require('request')
app.use(express.urlencoded({extended: true}));
app.listen(8080, () => console.log('server running on 8080'))


const jar = request.jar();

app.get('/', function(req, res){
    request.post({
        url: 'http://localhost:8080/post',
        form: {
                    username: 'Shobhit',
            },
            jar
    }, () => {
        request({
                    url : 'http://localhost:8080/dummy',
                    jar
            },
             () => {
                    console.log(jar)
            res.end()
            });
    })
})

app.get('/dummy', function(req, res){
    res.end();
})

app.post('/post', function(req, res){
    console.log(req.body);
    let randomNumber= Math.random().toString();
        randomNumber = randomNumber.substring(2,randomNumber.length);
    res.cookie('tough-cookie', randomNumber, {  maxAge: 900000, httpOnly: true });
    res.end();
})

The jar at the end of the second request contains the cookie set in the previous request.

    RequestJar {
  _jar:
   CookieJar {
     enableLooseMode: true,
     store: { idx: { localhost:
   { '/':
      { 'tough-cookie': Cookie="tough-cookie=33128391647421696; Expires=Sat, 27 Apr 2019 14:02:46 GMT; Max-Age=900; Path=/; HttpOnly; hostOnly=true; aAge=3ms; cAge=7ms" } } } } } }

Thank you so much for investing time to help me with this, I really appreciate it! — PatrikJ, Apr 27 '19 at 14:58

PatrikJ · Answer 2 · 2019-04-27T15:01:58.857

This is a bit awkward. I finally found the issue I had and it turns out that my credentials did not have the access needed. Since I configured an REST admin account I assumed it would work, but it did not. Instead I added a normal admin account and that worked fine.

What made me realize this was to compare the raw set-cookie headers in Chrome after making a successful login with the ones I got from NodeJS. The content did not follow the same pattern.

Here's a sample code for authenticating against a Fortinet firewall using Node.js:

const config = require('./config/config');
const request = require('request');
const fs = require('fs');

var url = `${config.fortigate.adminURL}/logincheck`;

var cookieJar = request.jar();
const req = request.defaults({
     agentOptions: {
         ca: fs.readFileSync('./caroot.crt'),   
     },
     jar: cookieJar
})

req.post(
    {
        url : url,
        headers : {
            "Accept": "application/json"
        },
        form: {
            username: config.fortigate.user,
            secretkey: config.fortigate.password
        }        
    },
    function (error, response, body) {

        url = `${config.fortigate.adminURL}/api/v2/monitor/router/ipv4/`;

        req.get({
            url : url,
            headers : {
                "Accept": "application/json"
            }
        },
        function (error, response, body) {
            console.log(body);
        });
    }
);

Hope it helps someone.

Using session cookies in the node.js request module

Update

2 Answers2