Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookies are being sent in the response header from server, but not getting set in any browser #5877

Open
s-decico opened this issue Sep 5, 2023 · 5 comments
Labels
priority::medium A medium priority

Comments

@s-decico
Copy link

s-decico commented Sep 5, 2023

Section/Content To Improve

app.use((req, res, next) => {
const allowedOrigins = [
"https://app1.netlify.app",
"https://app2.vercel.app",
];
const origin = req.headers.origin;

if (allowedOrigins.includes(origin)) {
res.setHeader("Access-Control-Allow-Origin", origin);
}

res.setHeader("Access-Control-Allow-Credentials", true);
res.setHeader(
"Access-Control-Allow-Methods",
"GET, POST, PUT, DELETE, OPTIONS"
);
res.setHeader(
"Access-Control-Allow-Headers",
"X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept,Authorization"
);
// res.setHeader("Access-Control-Expose-Headers", "Set-Cookie");

if (req.method === "OPTIONS") {
res.sendStatus(200);
} else {
next();
}
});

I tried with withcreddentials:true in the front end also

axios
.post(url, UserData, {
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
withCredentials: true,
})

Suggested Improvement

I searched but didn't find why this is happening, 3rd party cookies are also enabled in browser, my client is hosted on .vercel.app and server on .onrender.com
Most importantly it was working locally(client at port 3000 and server at 3001)

Relevant File(s)

No response

@DavidJDallas
Copy link
Collaborator

#5742 (comment)
Hi, I think this is responded to here. Let me know if this doesn't satisfactorily answer.

@s-decico
Copy link
Author

s-decico commented Sep 7, 2023

I checked but didn't help, its present in the set-cookie header in response but not in browser cookies

@ashishkujoy
Copy link

ashishkujoy commented Sep 26, 2023

I was facing the same issue.

The cookie sent by the server was getting save with server domain(You can verify this hitting any of your server URL from browser search bar and openning dev tools) as a result when the api call was happening from browser in client domain cookie was not getting sent. Everything was working fine in localhost.

The way I solved this was to put both server(render app) and client app(vercel) behind a reverse proxy server(render). Now since for browser the domain is same(proxy server domain) It started sending cookie.

@gesirdek
Copy link

I checked but didn't help, its present in the set-cookie header in response but not in browser cookies

@s-decico Did you find a solution?

@firefiber
Copy link

firefiber commented Dec 31, 2023

Generally, if the cookies are being sent (as in, in the response, you have the set-cookie flag, which includes the correct cookies you want, say sessionid, csrftoken cookie), but the browser isn't storing them, it's usually an issue with additional flags that the browser needs.

It needs the access-control-allow-origin to point to your frontend, access-control-allow-credentials to be true, so the browser knows to allow subsequent requests, and is allowed to send cookies. It looks like you've done this, but just make sure in dev tools.

You also need to make sure the cookies you send (if cross origin, which in your case it is, since front and back are on different domains):

  • are set to Secure (so it's only sent over HTTPS),
  • and SameSite is set to None (if you don't set SameSite manually to None, it defaults to Lax, and browsers reject cross origin cookies where SameSite is Lax.
  • path points to the correct path (it defaults to '/' which is usually correct, but if you're trying to set different cookies per different paths, then look into this)

More info about this here.

So your set-cookie header should look something like this:

sessionid=z2s5v7c5wwrt1kpc7bs12n7qclmgbcav; expires=Sun, 14 Jan 2024 19:25:28 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=None; Secure

It works locally because it's treated as same origin cookies, which are considered safe (since the origin and host are the same).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority::medium A medium priority
Projects
None yet
Development

No branches or pull requests

6 participants