Unable to read cookies from the GET header in node.js/express on firebase cloud functions

Question

The browser GET request header contains the cookies, but the cookie in the request of app.get() is empty. Where as the cookie in the request of app.post() has the data.

const indexRouter = require('./routes/index');

const app = express();

// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
app.use(expressLayouts);

app.use(express.json());
app.use(express.urlencoded({ extended: false }));

app.use(cookieParser());

// Attach CSRF token on each request.
app.use(attachCsrfToken('/portal/', 'csrfToken', (Math.random()* 100000000000000000).toString()));

function attachCsrfToken(url, cookie, value) {
  return function(req, res, next) {
    if (req.url === url) {
      res.cookie(cookie, value, { path : '/' });
    }
    next();
  }
}

// Middleware used for setting error and success messages as available in _ejs_ templates
app.use((req, res, next) => {
  console.log('ChannelLog - Request - ', req)
  console.log('ChannelLog - Response - ', res)
  console.log('ChannelLog - Cookies Unsigned - ', req.cookies)
  console.log('ChannelLog - Cookies Signed - ', req.signedCookies)
  next();
});

app.use('/', indexRouter);

Sample app.get()

router.get('/portal/', isAuthenticated, (req, res) => {
  console.log('ChannelLog - Cookies Directly - ', req.cookies.session)
});

Sample app.post()

router.post('/portal/create/session', (req, res) => {
  // Guard against CSRF attacks.
  if (csrfToken === req.cookies.csrfToken) {
    console.log('ChannelLog - CSRF - ', csrfToken, ' - ', req.cookies.csrfToken)
  }
});

Request Header :

Response Header :

Console Log :

Sample app.post() console log :

Sample app.get() console log :

score 1 · Accepted Answer · answered Dec 26 '19 at 17:30

1

Looks like the issue was specific to firebase cloud functions. Only cookie named __session will be retained by firebase functions and passed on to the app.get() functions.

Resolution:

Changing the session cookie name to __session.

answered Dec 26 '19 at 17:30

Thooyavan Manivaasakar

192
1
1
14

score -1 · Answer 2 · answered Dec 26 '19 at 15:23

-1

most of ajax clinets (like fetch api, axios jquery, etc) not send the cookies by default. in fetch for example you need to add {credentials: 'include'} to the options, in axios {withCredentials: true}

answered Dec 26 '19 at 15:23

Yosi Leibman

386
3
16

But as I have mentioned the request header contains the cookies in them. I have attached the screenshot of the same. – Thooyavan Manivaasakar Dec 26 '19 at 15:26

Unable to read cookies from the GET header in node.js/express on firebase cloud functions

2 Answers2