0

I'm trying to set an httpOnly cookie using expressJs res.cookie method but while it is being set on postman, it is not being set in either chrome or firefox. This situation is simply baffling and all I've done to debug the problem has been to no avail. Here is the code that sets the cookie

const refreshJwtExp = 30 * 24 * 60 * 60
return res.cookie('refresh_token', genRefreshJWT(id).token, {
    maxAge: refreshJwtExp,
    httpOnly: true
})

Here is the client environment I'm working with:

Here is the backend API I'm working with

Here are the things I've tried to debug the problem

  • Use security disabled chrome version. See here. I managed to get the refresh token setting on localhost but not on the production website https://www.roromart.com
  • add "domain" set to "roromart.com" property in res.cookie config. Didn't work

I'm thinking this is a security problem since it's setting in postman and a security-disabled variant of chrome. One peculiarity here is I'm working with two domains (roro-api.herokuapp.com) and www.roromart.com. Any help would be much appreciated

Elijah Kolawole
  • 35
  • 5
  • You may be right. Chrome Has some restrictions on use of cross domain cookies. https://blog.heroku.com/chrome-changes-samesite-cookie – vvs Feb 05 '21 at 20:22
  • Thanks Vvs. I think you are right. I added a sameSite property in the res.cookie config and set it to false and then 'None'. Neither worked. The new code became return res.cookie('refresh_token', genRefreshJWT(id).token, { maxAge: refreshJwtExp, httpOnly: true, // Set secure true only in production secure: process.env.NODE_ENV === 'development' ? false : true, sameSite: false, }) – Elijah Kolawole Feb 05 '21 at 20:53

0 Answers0