0

I have a problem with cookies.

I have a simple (self created) REST API in PHP, running on localhost:80/api.

FrontEnd is React App running localhost:3456.

In PHP the cookie header is:

"Set-Cookie: jwt_refresh_token=".$jwtRefreshToken."; HttpOnly ; Max-Age=3600; Secure; SameSite=None;"

The cookie is actualy send to client, but it is not saved in browser

Recieved cookie, edge Recieved cookie, edge

Other PHP headers which are sent to clients:

header('Access-Control-Allow-Origin: http://localhost:3456');
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
header('Access-Control-Allow-Headers: Authorization, Access-Control-Allow-Headers, Origin, Content-Type, Access-Control-Request-Headers');
header('Access-Control-Allow-Credentials: true');

What I tried and it didnt help, after reading tons of Questions, answers and tutorials:

  1. Turn of cookie SECURE param, while its localhost
  2. Use IP, instad of localhost
  3. Push API online and use SSL
  4. Run client app on URL without port, directly on localhost (etc->localhost:80)

PS: Everything is working when testing API in postman -> cookie is automaticly saved in Postmans cookies.

Anyone know, what to do?

Update 1

Response headers REsponse

Request headers REquest

Preflight Response Response - prelight

Preflight Request Request

Update 2 Okay, regarding to other posts - Edge, Chrome (and other chrome core browsers) they dont want to save cookies, on pages which have a port number (As my frontend runs at localhost:3456), tried again localhost(:80) and it works now for FireFox atleast. But still not for chrome core browser

Bartas139
  • 15
  • 5
  • This is a wild guess, but have you tried adding Cookie to the list of allowed headers? – rickdenhaan Sep 30 '22 at 11:50
  • @rickdenhaan if you mean the Access-Control-Allow-Headers, that refers to what _request_ headers are permitted, nothing to do with what the server returns back. – ADyson Sep 30 '22 at 11:51
  • @Bartas please show how you're making the request to this endpoint from the browser. – ADyson Sep 30 '22 at 11:52
  • Does this answer your question? [Set cookies for cross origin requests](https://stackoverflow.com/questions/46288437/set-cookies-for-cross-origin-requests) – ADyson Sep 30 '22 at 11:52
  • @ADyson Actualy no, I read this before and as I think I have everything as its suggested in that post – Bartas139 Sep 30 '22 at 12:00
  • @ADyson Updated my post, there are screens of request, response and prelight request and response – Bartas139 Sep 30 '22 at 12:05
  • @rickdenhaan Tried, but as mentioned by ADyson nothing to do with that = doesnt help – Bartas139 Sep 30 '22 at 12:06

0 Answers0