0

I have a very basic requirement to expire httpOnly cookie. Currently I am using Angular and I know it is not possible to access httpOnly cookies from client side code. So I was researching and I found Angular Universal which renders on server side. So is it possible to implement this functionality using Universal? and is it possible to keep only the cookie expiration logic on SSR while other component/module on CSR? I need to create a /logout route which will execute the cookie expiration logic. I know it a lot of ask. But if at least I get a away or directly it would be helpful. I am trying to implement logout functionality in ALB and Cognito based authentication. I am trying avoiding amplify as it is a paid service.

Few reference link: For angular universal cookie handling: https://davidsekar.com/angular/set-cookie-in-angular-universal-during-ssr

Signout in ALB (but here its asp.net app but in my case FE- Angular and BE spring boot are hosted separetly: https://medium.com/@bobtomlin_70659/signing-out-of-an-alb-web-application-e464723ac6d8

Shubham Melvin Felix
  • 23
  • 6
  • What's your question exactly? Yes you can set a cookie directly from your `server.ts` code file, or even directly from angular components – David Apr 11 '20 at 07:46
  • Actually I want to expire cookie which is httponly to logout a user. I am not using Angular Universal currently.So my question is that is there a way I can mix both CSR and SSR in an Angular project? Something like the logic to expire the cookie i.e. logging out can render on server side and the other pages/modules can render on client end. – Shubham Melvin Felix Apr 12 '20 at 13:19
  • Yes you can but you don"t even need angular universal for that. You just need your webserver to handle these requests and remove the cookie accordingly – David Apr 12 '20 at 13:29
  • Ok, correct me if I am wrong. Then in that case, we must run some server side code. So are you suggesting to have a server side code to do this? Currently in my case the backend (Spring boot) API's are hosted on another domain. Can you explain it a bit more. – Shubham Melvin Felix Apr 13 '20 at 04:03
  • and if you are suggesting it to implement it at the web server end like in my case nginx .. so cookie expiration will only be done while acessing/calling a particular resource not everytime. So how can we do this. and current;y nginx is not working as a reverse proxy in my case. – Shubham Melvin Felix Apr 13 '20 at 04:28
  • @ShubhamMelvinFelix, Did you find any solution to this? I have the exact same problem. My front end is a Angular single page and my backend is a NodeJs Api, both are sitting behind ALB protected by Cognito. I am able to connect ok and receive a couple of cookies, but I just can't get rid of them. It is not possible to set the expiry of the cookies from Angular and the get method on the logout endpoint will get you out if you first expire the cookie. I tried many options, but none is working. Have you found a solution? – Christèle Legeard Aug 07 '20 at 17:18
  • @ChristèleLegeard In my case since the ALB cookie is Secure and HTTP only. I cleared it from the browser using the webserver which is Nginx in my case. So in order to implement this... I created a dummy file (logout.json) and kept it in the assets folder. Now when the user clicks the logout button, I was doing an HTTP get a call to access this logout.json file and I also made sure this file is not cached by setting headers like Cache-Control. – Shubham Melvin Felix Aug 11 '20 at 05:56
  • By this what happened is that every call went to the Nginx server and was not served from the browser cache. After this, in the Nginx config file, I added a condition to check if the location call is for logout, then I expired the ALB cookies by add_header Set-Cookie. after this, I called the Cognito logout endpoint to redirect to the relevant screen (as Cognito logout endpoint clears the Cognito cookie) – Shubham Melvin Felix Aug 11 '20 at 05:56
  • @ShubhamMelvinFelix Thanks for answering. What I managed to do is to expire the cookies from my backend service (nodeJs) and after that calling the logout endpoint from the front end. – Christèle Legeard Aug 12 '20 at 08:51
  • That should work. – Shubham Melvin Felix Aug 13 '20 at 11:04

0 Answers0