2

Can you, using fetch or by some other means send request with HttpOnly cookie to server in React ?

I know HttpOnly means you can't access it with JS. I'm thinking maybe you can't read it but you can send it back? I don't know.

I want this:

  • Request to server is made from client (ReactJS SPA)
  • Server responds and sets HttpOnly Cookie.
  • Client gets response, cookie is automatically set by browser.

With new request to that same server I want to send back that cookie. is this possible using ReactJS ? or maybe there are some ways to bypass that, like maybe opening new window, with simple HTML, not ReactDOM ?

Thanks for your help.

Emilis Vadopalas
  • 1,019
  • 2
  • 14
  • 22
  • 1
    `React` has nothing to do with sending cookies back to the server with each request. If you're using `fetch`, make sure the `credentials` options is set appropriately if you want to include cookies with your requests - https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch – goto Aug 03 '20 at 11:29
  • Does this answer your question? [Fetch API with Cookie](https://stackoverflow.com/questions/34558264/fetch-api-with-cookie) – goto Aug 03 '20 at 11:30
  • Maybe, I wannted to know if cookies with httpOnly set tu true, will be still sent – Emilis Vadopalas Aug 03 '20 at 12:46
  • 1
    Give it a try and let us know. As per MDN docs, "a cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server." – goto Aug 03 '20 at 12:54

1 Answers1

9

Ok, I checked it out.

Cookie with HttpOnly set with true, will still be send using ReactJS, fetch or any other Request made with JS, You just Can't read it using JS, but when using HttpPost, HttpGet, or other. Browser still attaches it to request, even if it's HttpOnly.

I guess the lesson here is that browser handles setting cookies to requests, and it doesn't care if request is made by HTML, or JavaScript.

Emilis Vadopalas
  • 1,019
  • 2
  • 14
  • 22