Can't read 'httpOnly: false' Cookie
I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.
Right now the express server is running on Heroku, and my client side is localhost.
I'm stumped.
Here is my server side code that is setting the cookie:
return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});
reactjs express cookies
asked Nov 21 '18 at 22:26
Zach GZach G
412
add a comment |
I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.
Right now the express server is running on Heroku, and my client side is localhost.
I'm stumped.
Here is my server side code that is setting the cookie:
return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});
reactjs express cookies
asked Nov 21 '18 at 22:26
Zach GZach G
412
1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 '18 at 23:35
I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 '18 at 1:28
On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 '18 at 1:31
Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 '18 at 12:13
add a comment |
I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.
Right now the express server is running on Heroku, and my client side is localhost.
I'm stumped.
Here is my server side code that is setting the cookie:
return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});
reactjs express cookies
asked Nov 21 '18 at 22:26
Zach GZach G
412
I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.
Right now the express server is running on Heroku, and my client side is localhost.
I'm stumped.
Here is my server side code that is setting the cookie:
return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});
reactjs express cookies
reactjs express cookies
asked Nov 21 '18 at 22:26
Zach GZach G
412
asked Nov 21 '18 at 22:26
Zach GZach G
412
asked Nov 21 '18 at 22:26
Zach GZach G
412
asked Nov 21 '18 at 22:26
Zach GZach G
412
asked Nov 21 '18 at 22:26
Zach GZach G
412
412
1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 '18 at 23:35
I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 '18 at 1:28
On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 '18 at 1:31
Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 '18 at 12:13
add a comment |
1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 '18 at 23:35
I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 '18 at 1:28
On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 '18 at 1:31
Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 '18 at 12:13
1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 '18 at 23:35
1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 '18 at 23:35
I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 '18 at 1:28
I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 '18 at 1:28
On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 '18 at 1:31
On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 '18 at 1:31
Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 '18 at 12:13
Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 '18 at 12:13
add a comment |
1 Answer
1
active
oldest
votes
Express server is running in heroku and Client server is running in localhost.
The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]
Say your application is served at express.herokuapp.com,
scripts can only read it when they're running in the same host. i.e. express.herokuapp.com
However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.
In development, you can set Domain attribute for the cookie to be .herokuapp.com
For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.
However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.
If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.
Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com
127.0.0.1 local.herokuapp.com
Visit the address alias and the client side script will read the cookie.
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421308%2fcant-read-httponly-false-cookie%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Express server is running in heroku and Client server is running in localhost.
The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]
Say your application is served at express.herokuapp.com,
scripts can only read it when they're running in the same host. i.e. express.herokuapp.com
However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.
In development, you can set Domain attribute for the cookie to be .herokuapp.com
For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.
However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.
If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.
Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com
127.0.0.1 local.herokuapp.com
Visit the address alias and the client side script will read the cookie.
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
add a comment |
Express server is running in heroku and Client server is running in localhost.
The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]
Say your application is served at express.herokuapp.com,
scripts can only read it when they're running in the same host. i.e. express.herokuapp.com
However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.
In development, you can set Domain attribute for the cookie to be .herokuapp.com
For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.
However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.
If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.
Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com
127.0.0.1 local.herokuapp.com
Visit the address alias and the client side script will read the cookie.
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
add a comment |
Express server is running in heroku and Client server is running in localhost.
The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]
Say your application is served at express.herokuapp.com,
scripts can only read it when they're running in the same host. i.e. express.herokuapp.com
However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.
In development, you can set Domain attribute for the cookie to be .herokuapp.com
For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.
However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.
If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.
Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com
127.0.0.1 local.herokuapp.com
Visit the address alias and the client side script will read the cookie.
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
Express server is running in heroku and Client server is running in localhost.
The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]
Say your application is served at express.herokuapp.com,
scripts can only read it when they're running in the same host. i.e. express.herokuapp.com
However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.
In development, you can set Domain attribute for the cookie to be .herokuapp.com
For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.
However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.
If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.
Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com
127.0.0.1 local.herokuapp.com
Visit the address alias and the client side script will read the cookie.
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
edited Nov 24 '18 at 10:17
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
answered Nov 24 '18 at 10:09
Oluwafemi SuleOluwafemi Sule
11.7k1532
11.7k1532
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421308%2fcant-read-httponly-false-cookie%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 '18 at 23:35
I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 '18 at 1:28
On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 '18 at 1:31
Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 '18 at 12:13