I am sending a request to my server from abc.example.com. My server is setting httpOnly cookies in the response using res.cookie.
I want these cookies to also be available on example.com so when I do any API calls in example.com, the cookies are sent with that request.
How to achieve this?
I understand the http-only cookie cant be accessed from the js how could i keep an user logged, in a react app?. should I set an endpoint on the backend and just send requests there to check if the user cookie stills there? which is the best way to solve this.
I set an httpOnly cookies in the browser every time a use logs in or signs up to my website. The cookie contains the refresh token which I use to get a new access token. But the problem is that that refresh token is not sent to the server in any request by default.
I just want to know what should I do to sent the httpOnly cookie to the server with every request.
I am using the MERN stack.
A couple reasons this might happen, any or multiple of these can cause your issue:
You are setting the cookie secure, but not viewing the page over https. The point in secure cookies is they only get sent over a secure connection (ie. https), so you probably don't want this in development (but you do want this in production).
You are setting the cookie as SameSite, but the page the request is sent from is not the same as the cookie origin.
The cookie is not even set. You can check this in the Application tab in the Developer Tools of your browser. This can happen if the cookie would have been set as a result of a CORS request.
If you are using CORS, you need to use withCredentials so the cookies are also sent (or credentials: 'include' for ES6 Fetch API).
I'm having a micro service written in Node.js (express) and there is an authentication policy/logic implemented.
When I login into a portal and call url to my microservice directly (from browser), there is always sent Cookie as a part of request header.
Unfortunately when I test microservice in portal environment, no Cookie is sent.
Is it possible to force client to open some iframe or popup to obtain session info/Cookie if missing?
I'm following a tutorial where, after logging in a user, the backend sends a HTTPOnly cookie to the frontend containing the user id. However, HTTPOnly cookies are not accessible from the frontend (ex. document.cookie will not be able to read the cookie).
My question is, how is this cookie able to be used to retrieve user data? My thought process was that you would do something like GET 'server_address'/user/'id' where 'id' would be the user id stored in the cookie. But this obviously cannot work since the frontend can't access the cookie because it's HTTPOnly. A possible workaround I thought of was for the server to send the user id in the JSON response after logging in, but if this is the solution what is the point of even setting a cookie in the first place? That workaround makes it seem like there's no point in using cookies at all to save user sessions if you can just send the id back in the JSON response.
Please bear with me, this is my first time working with cookies. If it helps at all, I am using an Angular 4 frontend and a Node/Express backend
An httponly cookie is stored in the browser and is automatically resent back to the server with any future requests that match the origin of the cookie. So, the cookie can be used by the server to identify which client is making the request. If, for example, it was an authentication cookie that identifies who an authenticated user was, then the server would know which authenticated user this request is coming from and could use that information to authenticate the request and to know which user it was.
As you seem to already know, the httponly cookie cannot be retrieved by browser Javascript. That is the meaning of httponly.
how is this cookie able to be used to retrieve user data?
The cookie is sent to the server with any request from that client so the server can use the cookie to identify which user is making the request.
A possible workaround I thought of was for the server to send the user id in the JSON response after logging in
If the server wants the client to know the userID, then it should return it in the response. Or, it can stop using an httpOnly cookie so that the client can read the cookie. But, usually cookies that denote any sort of authenticated state are encrypted on the server so they often aren't intelligible to the client, even if they aren't httpOnly.
if this is the solution what is the point of even setting a cookie in the first place
Cookies are used for a variety of reasons. They allow the server to set some state that is associated with that particular client and each future request from that client will send that cookie back to the server so the server can have access to that info. The info could be authentication info, userID info, user preferences, etc...
That workaround makes it seem like there's no point in using cookies at all to save user sessions if you can just send the id back in the JSON response.
You don't really tell us much about your application, but cookies are often involved in implementing login and security and because they are automatically sent along with all future requests, they save the client the both of having to attach credentials to every single future request (because the cookie credential are automatically included). And, for requests such as a user clicking on a link in a page, the cookies are required because those types of links won't have credentials in them (and shouldn't).
My thought process was that you would do something like GET 'server_address'/user/'id'
So you plan to have any security associate with that request? If so, then you need an authentication scheme so that not just anyone can request info for any user. That's often what cookies are used for. You login, the server sets a credential into an encrypted cookie. That credential identifies a particular authenticated user so that for future requests from that same client, the server can use that cookie to see who the user is and whether they are authenticated.
We set cookie as httponly to prevent XSS, imagine if there is a security flaw that allow hacker the inject script <script>sendToHackerServer(document.cookie)...</script>, so user's cookie ( include session) will be sent to hacker server, then hacker can gain access to user data with that session. since these httponly cookie will be readable through http request only, session cookie will not be sent by injected script, and ur express backend can read these cookie with req.cookies.