7

I send a request to server to login and get cookie with token value with HTTP only tag after this action I can not access cookie value in my react app but I tested it in the postman app and i can see cookie in this app if I can see it in the postman app so I can see it in my app! what is different between them? Is There A Way To get HTTP only cookie in react app? result from request response from server in postman

Mohsen Mohebbi
  • 77
  • 1
  • 1
  • 7

2 Answers2

17

That is exactly the purpose of HttpOnly cookies.

The server sends the cookie along with the response, the browser stores it and sends it along with any request to the domain of this cookie. But the browser will prevent any code running on it to access it.

Why ?, this creates a secured way to store sensible information, such as authentication tokens, preventing any injected code in your page to access it.

https://www.owasp.org/index.php/HttpOnly

Luis Sieira
  • 29,926
  • 3
  • 31
  • 53
  • Then how do you read a cookie for login/signup purposes? Or, do you use something else? – Zain763 Feb 03 '21 at 12:55
  • 3
    Well, you don't. The cookie contains what the server sent (be it a JWT token or similar) ant it is sent unaltered to the backend by the browser on every request. It is the backend that decides if the token is valid, the front does not have access to it. Otherwise, your little amazon banner you put in your page could also read it and steal your session – Luis Sieira Feb 04 '21 at 13:47
  • 1
    The front can know if it is logged or not (the token is valid and not expired) by calling a view in the back (tipically the user profile summary). If it answers 403 you are not logged, if it answers 200 you are. – Luis Sieira Feb 04 '21 at 13:51
2

You can't have access to the httponly cookies in react or any javascript framework. you see it in postman because in this case, postman acts like a browser and saves all of the cookies in itself then you can see them.

Meysam
  • 570
  • 2
  • 7
  • Thank you for your response but In addition to JavaScript in the browser, I can't see cookies – Mohsen Mohebbi Aug 24 '19 at 11:22
  • 1
    I didn't get your point. Do you mean you can't see cookies in the browser? How do you try to see them? Via javascript or with a plugin? @Mohsen Mohebbi – Meysam Aug 24 '19 at 16:57