Cookie not being set in browser

Stretch0 picture Stretch0 · May 16, 2018 · Viewed 7.6k times · Source

I am trying to set a cookie which has my auth token in it. I can see it being returned in the response header set-cookie: xxxxxx but for whatever reason, the browser is not storing the cookie.

On my react front end http://app1.dev:3001 I am making an POST api call as such:

return axios.get(
  `${apiUrl}/info`,
  { withCredentials: true }
)
.then(res => res.data)
.catch(console.error)

And I have a simple Koa server running on http://localhost:3000

const Koa = require("koa")
const Router = require("koa-router")
const bodyParser = require("koa-bodyparser")
const cors = require("@koa/cors")
const axios = require("axios")
const env = require("./env")
const KeyGrip = require("keygrip")

const app = new Koa()
const router = new Router()
const port = env("port")

const keyList = ["xxxxxxx",]
app.keys = new KeyGrip(keyList, "sha256")

router.get("/info", ctx => {
  console.log('req', ctx.req)
  ctx.cookies.set("token", "test_token", { signed: true, httpOnly: true })
  ctx.body = { ok: true }
})

const corsOptions = {
  origin: ctx => ctx.request.header.origin,
  credentials: true
}

app
  .use(cors(corsOptions))
  .use(bodyParser())
  .use(router.routes())
  .use(router.allowedMethods())

app.listen(port, () => console.info(`Listening on port ${port}`))

I suspect it is not being set because it is cross domain. when I use http://localhost:3001 for my front end the cookie gets set fine.

Why are the cookies not being set in browser? Any help would be greatly appreciated.

Answer

Sergey Lapin picture Sergey Lapin · May 16, 2018

When you use http://localhost:3001 for the frontend, your frontend and backend servers share the same domain (even being on different ports), so you can see the cookie set by a request to your backend server (and so linked to backend server domain).

When you use different domains, you just can't see the cookie as dev tools are attached to a page that belongs to another domain. But the cookie is saved and will be sent back with subsequent requests.