1

I'm trying to make a post call via an html page. On 2nd application, i'm trying to access a cookie named cookie_test (can be set manually or via code in browser).

Under Application tab(Storage --> cookies), i'm able to see the cookie, but somehow i'm getting undefined in console log when trying to access it from 2nd application (refer 2nd code).

browser cookie screenshot

Application One (test.html is the only file in it & i'm trying to make a post call)

<form action="http://localhost:3000/page-two" method="POST">
    <input type="submit" value="Go to P2">
</form>

Application Two (NodeJS/Express: index.js)

var express = require('express');
var router = express.Router();

router.post('/', function (req, res, next) {
    console.log("COOKIE-TEST::::::", req.cookies.cookie_test)
    res.render("page_two", { cookie_data: req.cookies.cookie_test });
});

module.exports = router;

Note: Within node application, cookies are accessible & works as expected. Issues seems to happen during redirection.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
suraj.datta
  • 99
  • 6
  • It can be helpful to look at devtools' Network tab. It shows cookies sent in each request and returned in the response. There's also a Chrome Web Extension called "Edit This Cookie" which is good for looking at the cookies in your browser. – O. Jones Sep 17 '20 at 14:24
  • Question: Application Two is served from `http://localhost:3000`. Where is Application One served from? – O. Jones Sep 17 '20 at 14:27
  • @O.Jones, Application one is a simple HTML page for now. One thing i noticed was that Cookie header is missing in Request Headers under Network tab . My concern is that whenever user comes to App. 2, the code should have access to the existing cookies. – suraj.datta Sep 17 '20 at 14:34
  • I ask again. Where is Application One served from? You may be running into cross-origin cookie restrictions. – O. Jones Sep 17 '20 at 14:41
  • @O.Jones, App. one is not served from anywhere. I'm simply opening the HTML file(with above code) on a browser. – suraj.datta Sep 17 '20 at 14:56

2 Answers2

1

I was able to solve the issue by setting the cookie parameters as secure(true) & sameSite(none). Make sure to use latest version of express for sameSite property. This setting allowed my 2nd application to access it's cookies, irrespective of getting redirected from any source (in my case Application one).

suraj.datta
  • 99
  • 6
0

A couple of things to check.

First, your nodejs app needs the cookie-parser middleware if it is to receive any cookies from users' browsers. It looks like this.

var cookieParser = require('cookie-parser')
...
var express = require('express')
express.use(cookieParser())
...

You didn't mention how you set the cookie from your post route. You would do that like this with a call to res.cookie():

router.post('/', function (req, res, next) {
    console.log("COOKIE-TEST::::::", req.cookies.cookie_test)
    const testCookieVal = req.cookies.cookie_test || 'some default value'
    res.cookie('cookie_test', testCookieVal)
    res.render("page_two", { cookie_data: someCookieVal })
});

It's not clear how you set the cookie you're trying to retrieve in your post route. You should understand that your Application One html file is served from the file:// origin, and Application Two is served from the https://localhost:3000 origin. Browsers never send cookies associated with web pages served from one origin in requests to other origins.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • 1. cookie-parser is in place as middleware. 2.In above route method, i would initially check if a specific cookie exists for a user. If not, would redirect user to login page, then validate the user & set a cookie using res.cookie() with maxAge of 5-6 hours. 3. Now let's assume that user closes the tab & re-viisits the page again via form submit from Application one. Even at that time the valid cookie exits in browser, but somehow not accessible at req.cookie method. 4. I understand that one site won't sent cookies to other app, but atleast the 2nd app should've able to accessed its cookie – suraj.datta Sep 17 '20 at 17:10