1

This is my first time messing around with session cookies and I'm having a pretty hard time. I'd really appreciate any help!

I'd like to note:

  • I'm experiencing all of these issues locally on Chrome
  • I have absolutely no issue receiving the cookie and authenticating the request using Postman. It's Chrome that doesn't set the cookie.

The Server

My server is running on http://localhost:7000/

I'm sending cookies to the client from the server by setting the Set-Cookie header like so:

val cookie = """jwt=$token; Path=/; Domain=localhost; Max-Age=86400; Expires=Thu, 19 Aug 2021 12:20:23 GMT; SameSite=Strict;"""

ctx.header("Set-Cookie", cookie)

I also have cors set up:

it.header(Header.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")
it.header(Header.ACCESS_CONTROL_ALLOW_METHODS, "*")
it.header(Header.ACCESS_CONTROL_ALLOW_HEADERS, "*")

The Front End

My F.E is running on http://localhost:3000/

Here's what an auth request/response looks like: enter image description here

Here's what one of the failed requests looks like. Notice how there is no cookie set: enter image description here

I've also noticed that the cookie does not show up in Chrome's Cookies in use view: enter image description here

My Understanding

From what I understand, I can use SameSite=Strict since both FE & BE are running locally on localhost.

When I move into production, FE & BE will not be on the same domain. Then, I'd have to use SameSite=None; Strict. Is this correct?

Also, I'm aware that I can also include HttpOnly, but I'm not at the moment for debugging purposes.

Is my understanding correct?

Thanks!

Thanks in advance for any help you might be able to provide, it's greatly appreciated!

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
dnkr
  • 11
  • 2

2 Answers2

0

I wasn't properly setting credentials: include

dnkr
  • 11
  • 2
-2

i suggest you try setting the allow-origin to * and check the result:

Access-Control-Allow-Origin: *

it would allow request from any address, not secure but can help you find where the problem is coming from

Erfan
  • 1,725
  • 1
  • 4
  • 12
  • Hi Erfan, thanks for the response. I've seen in [a few places](https://stackoverflow.com/a/46412839/15031707) comments about how allow origin should not be set to `*`, but I've just tried it for testing purposes: – dnkr Aug 18 '21 at 16:17
  • `GET /api/transfers?limit=5&offset=0 HTTP/1.1 Host: localhost:7000 Connection: keep-alive sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92" accept: application/json DNT: 1 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 credentials: include Origin: http://localhost:3000 Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:3000/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9` – dnkr Aug 18 '21 at 16:18