1

I was using Redux-Toolkit (RTK) query with the option of "credentials": "include" to send cookies with my fetch requests.

Here my set up:

const baseQuery = fetchBaseQuery({
  baseUrl: `${import.meta.env.VITE_SERVER}`,
  prepareHeaders(headers) {
    return headers;
  },
  credentials: "include",
});

export const baseApi = createApi({
  baseQuery: baseQuery,
})

When I made a post request to login, I received "Set-Cookie" header from the server

HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: http://localhost:5173
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Set-Cookie
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Set-Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY0Yzg4OTU1YWUxODgwZjJmYzM1NmNjMSIsImlhdCI6MTY5MDg2NTIyMiwiZXhwIjoxNjkwODY2MTIyfQ.X_jNxlInBjaIkqevoaryDYDxSC15Qc9YBNjgdM9XpOs; Path=/; HttpOnly; Secure; SameSite=None
Content-Type: application/json; charset=utf-8
Content-Length: 308
Connection: keep-alive
Keep-Alive: timeout=5

Any subsequent requests didn't include the header Cookie header from client for example:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: vi-VN,vi;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-US;q=0.6,en;q=0.5
Connection: keep-alive
DNT: 1
Host: localhost:3000
Origin: http://localhost:5173
Referer: http://localhost:5173/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Drew Reese
  • 165,259
  • 14
  • 153
  • 181
VN-Boy
  • 23
  • 1
  • 6
  • I can't help but notice that your server is not accessed via a secure URL (it's running on `http://localhost:3000`) and its response attempts to set a cookie marked `Secure`. Browsers reject such attempts. Only secure origins (in practice, those starting with `https://`) are allowed by browsers to set secure cookies. – jub0bs Aug 01 '23 at 16:51

0 Answers0