8

I am trying to do something supposedly simple and easy: set a cookie! But the browser (Chrome and Safari tested) is simply ignoring them. So the response headers look like:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:*
Connection:keep-alive
Content-Encoding:gzip
Content-Type:application/json; charset=utf-8
Date:Wed, 19 Jul 2017 04:51:51 GMT
Server:nginx
Set-Cookie:UserAuth=<some jwt>; Path=/; Domain=10.10.1.110; Expires=Wed, 19 Jul 2017 12:51:51 GMT; HttpOnly; Secure
Transfer-Encoding:chunked
Vary:Origin

The request does include withCredentials=true. But the cookies section in Chrome is empty. I've tried removing the domain altogether, removing the path, every configuration I can think of, but the browser just won't play ball.

What am I missing?

Mandeep Thakur
  • 655
  • 1
  • 10
  • 23
see sharper
  • 11,505
  • 8
  • 46
  • 65
  • 1
    You set a cookie with `Secure` flag which instructs the browser that the cookie should only be returned to the application over encrypted connections. Does your connection fulfills this mandatory requirement? – Kul-Tigin Jul 29 '17 at 01:06
  • Yes, the connection is over https. – see sharper Jul 30 '17 at 01:47
  • When use `withCredentials=true` with `XMLHttpRequest` object for cross origin request, you cannot use `*` for `Access-Control-Allow-Origin` to allow origin. Are you trying to request cross origin data? You may have a try to add the domain name to `Access-Control-Allow-Origin` explicitly. – Jack Q Jul 31 '17 at 08:34
  • Are you sure that the Expires parameter is sane? Presumably the cookie is meant to be short lived since it carries a token, but consider skewed clocks. Edit: actually, the Date header shows that it does make sense, so never mind. – Peter Jul 31 '17 at 17:50
  • @JackQ: It's not cross-origin :( – see sharper Aug 01 '17 at 02:16
  • How do you set the cookies? PHP, Javascript? I have a feeling that the problem is in your setCookies code – AlbertSamuel Aug 01 '17 at 04:53
  • @AlbertSamuel: Server language is Go. But I'm not sure how relevant it is. The format of the response headers is obviously what determines the browser's behaviour in response to the Set-Cookie. And they seem fine, at least AFAICT. – see sharper Aug 01 '17 at 05:57

2 Answers2

3

So it turns out that the original request had 'withCredentials=true' as a request header rather than being set on the XMlHttpRequest config object.

see sharper
  • 11,505
  • 8
  • 46
  • 65
2

Your cookie showing HttpOnly; Secure;

Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie

The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

Cookies will be interrupted if travel through HTTP with secure flag in TLS layer. So check your preference and set the configuration of cookies accordingly.

Ankit
  • 83
  • 6