0

I am building an Angular application and I am using ngx-cookie-service to manipulate the cookies.

When I run on my local machine, the cookies are set just fine. When I run on my test server and access it via localhost, it also works just fine. eg: http://localhost:<port_number>

But if I try to access it on the test server from another machine using the ip address (http://<server_ip>:<port_number>), the application works but the cookie is not there and there is no message, error or warning, about what is happening.

I searched other answers but couldn't find a clue. I also fiddled with the setting for Same-Site = 'Lax' or 'None' and Domain but it didn't change things.

Here is a sample of what I am doing

  constructor(private cookieService: CookieService) { }

    this.cookieService.set("cookieName", "value", null, "/", null, true);

What am I doing wrong?

Edit:

I discovered that if I set the cookie with secure=false and sameSite="Lax", it does set:

enter image description here

If I set secure=true and SameSite="Lax", it does not set: enter image description here

I need the secure to be true as a security requirement, so I cannot leave it like that.

This cookie is not being sent from the back-end, the front-end is creating it to store some info.

Does anyone know why it sets in without secure?

Caio Tsubake
  • 101
  • 3
  • 14
  • Browsers won’t return cookies set by IP.. security risk. – MikeOne Aug 17 '21 at 19:59
  • @MikeOne, sorry I didn't understand. This cookie is being created on the front-end, it is not being set by the server that I am accessing. Is that what you meant? I've added more information to the question – Caio Tsubake Aug 18 '21 at 15:18
  • It doesn’t really matter if you only set/get it front-end. A cookie is always set in the context of the domain name the code currently runs on. So for the browser to decide which cookies to ‘expose’ to your code, it checks if the domain name matches with the domain at the time it was set. Does that make sense? – MikeOne Aug 18 '21 at 16:15
  • @MikeOne, okay so if I got it right, the browser will always try to match the cookie domain with the domain the user curretly is, is that correct? – Caio Tsubake Aug 20 '21 at 20:00
  • Basically yes.. – MikeOne Aug 21 '21 at 10:06

1 Answers1

0

I managed to find a way for the cookie to appear.

Installing a certificate on the server, when the website is called with the https protocol, the cookie appears.

I couldn't find anywhere were it said that cookies with Secure set were not created over plain http but it does make sense, when you think about it.

Caio Tsubake
  • 101
  • 3
  • 14