Not able to set cookie from the express app hosted on Heroku

Question

I have hosted both frontend and backend in Heroku.

Frontend - xxxxxx.herokuapp.com (react app)
Backend - yyyyyy.herokuapp.com (express)

I'm trying to implement Google authentication. After getting the token from Google OAuth2, I'm trying to set the id_token and user details in the cookie through the express app.

Below is the piece of code that I have in the backend,

authRouter.get('/token', async (req, res) => {
    try {
        const result = await getToken(String(req.query.code))
        const { id_token, userId, name, exp } = result;
        const cookieConfig = { domain: '.herokuapp.com', expires: new Date(exp * 1000), secure: true }
        res.status(201)
            .cookie('auth_token', id_token, {
                httpOnly: true,
                ...cookieConfig

            })
            .cookie('user_id', userId, cookieConfig)
            .cookie('user_name', name, cookieConfig)
            .send("Login succeeded")
    } catch (err) {
        res.status(401).send("Login failed");
    }
});

It is working perfectly for me on my local but it is not working on heroku.

These are the domains I tried out already - .herokuapp.com herokuapp.com. Also, I tried out without specifying the domain field itself.

I can see the Set-Cookie details on the response headers but the /token endpoint is failing without returning any status code and I can't see the cookies set on the application tab.

Please see the below images,

I can't see any status code here but it says it is failed. These are cookie information that I can see but it is not available if I check via application tab.

What am I missing here? Could someone help me?

Realized later that herokuapp.com is included in the Mozilla Foundation’s Public Suffix List so it will prevent you from setting cookies on herokuapp.com or *.herokuapp.com — Manoj Kumar S, Jan 27 '21 at 13:00
Ok, is there any other web host to use apart from herokuapp? This is to test cookies basically — Easwaramoorthy Kanagaraj, Jan 27 '21 at 13:15
Not sure if the other hosting platforms will have the ability to manage cookies but I would suggest using a custom domain and it would solve the problem. — Manoj Kumar S, Jan 27 '21 at 13:26

score 1 · Answer 1 · answered May 30 '20 at 18:02

1

May you should try secure as: secure: req.secure || req.headers['x-forwarded-proto'] === 'https'

answered May 30 '20 at 18:02

Pardeep Baboria

458
4
12

score 1 · Answer 2 · answered Oct 19 '20 at 19:00

You are right, this should technically work.

Except that if it did work, this could lead to a massive security breach since anyone able to create a Heroku subdomain could generate a session cookie for all other subdomains.

It's not only a security issue for Heroku but also for any other service that lets you have a subdomain.

This is why a list of domains has been created and been maintained since then to list public domains where cookies should not be shared amongst the subdomains. This list is usually used by browsers.

As you can imagine, the domain heroku.com is part of this list.

If you want to know more, this list is known as the Mozilla Foundation’s Public Suffix List.

Not able to set cookie from the express app hosted on Heroku

2 Answers2