1

I have an express app set up that can authenticate users and generates a JWT, and now I want it to save as a httpcookie, but the cookie sent in the response, visible under network in the browser, is not saved in the browser, if I check under application>cookies, so I cannot then use it to verify another request to the app.

res.cookie("token", thetoken, {httpOnly:true, sameSite:"Lax", expires: new Date(Date.now() + 14 * 86400000)});

The cookie is only 165 bytes so it's definitely not too big, and since the browser is receiving the cookie in the response for the fetch, it should be able to set it too?

Edit: I added credentials: "include" and the relevant CORS header, and now the cookie is visible, received and set, but gets removed when the page refreshes, so is as useful as no cookie at all (so something else is at issue as well?)

wiry
  • 17
  • 1
  • 7
  • Are you using `fetch`? Maybe you need to add `credentials: 'include'` option? https://stackoverflow.com/questions/36824106/express-doesnt-set-a-cookie – Danila Jun 18 '20 at 21:40
  • @Danila I can see the cookie being set now, but it gets removed after page refresh, how do I get it to stay? I can see that the expiry date is 2 weeks from when it's set. – wiry Jul 20 '20 at 21:04

1 Answers1

0

I was not using credentials: "include" in my fetch arguments, and this CORS header: res.header("Access-Control-Allow-Credentials", "true");, which is necessary in order for a cookie to be set from a response.

wiry
  • 17
  • 1
  • 7