Can't read 'httpOnly: false' Cookie












0















I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});









share|improve this question























  • 1.) What's your React code? 2.) Are you using the cors package on server?

    – Colin
    Nov 21 '18 at 23:35











  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');

    – Zach G
    Nov 22 '18 at 1:28













  • On the server I'm just using what's build into express to set the cookie.

    – Zach G
    Nov 22 '18 at 1:31











  • Strange. It's likely an issue with the order of your middlewares.

    – Colin
    Nov 22 '18 at 12:13
















0















I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});









share|improve this question























  • 1.) What's your React code? 2.) Are you using the cors package on server?

    – Colin
    Nov 21 '18 at 23:35











  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');

    – Zach G
    Nov 22 '18 at 1:28













  • On the server I'm just using what's build into express to set the cookie.

    – Zach G
    Nov 22 '18 at 1:31











  • Strange. It's likely an issue with the order of your middlewares.

    – Colin
    Nov 22 '18 at 12:13














0












0








0








I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});









share|improve this question














I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res
.status(200)
.cookie('id_token', token, {
httpOnly: false,
path: '/',
secure: false,
maxAge: 400000
})
.json({
token: token
});






reactjs express cookies






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 21 '18 at 22:26









Zach GZach G

412




412













  • 1.) What's your React code? 2.) Are you using the cors package on server?

    – Colin
    Nov 21 '18 at 23:35











  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');

    – Zach G
    Nov 22 '18 at 1:28













  • On the server I'm just using what's build into express to set the cookie.

    – Zach G
    Nov 22 '18 at 1:31











  • Strange. It's likely an issue with the order of your middlewares.

    – Colin
    Nov 22 '18 at 12:13



















  • 1.) What's your React code? 2.) Are you using the cors package on server?

    – Colin
    Nov 21 '18 at 23:35











  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');

    – Zach G
    Nov 22 '18 at 1:28













  • On the server I'm just using what's build into express to set the cookie.

    – Zach G
    Nov 22 '18 at 1:31











  • Strange. It's likely an issue with the order of your middlewares.

    – Colin
    Nov 22 '18 at 12:13

















1.) What's your React code? 2.) Are you using the cors package on server?

– Colin
Nov 21 '18 at 23:35





1.) What's your React code? 2.) Are you using the cors package on server?

– Colin
Nov 21 '18 at 23:35













I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');

– Zach G
Nov 22 '18 at 1:28







I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');

– Zach G
Nov 22 '18 at 1:28















On the server I'm just using what's build into express to set the cookie.

– Zach G
Nov 22 '18 at 1:31





On the server I'm just using what's build into express to set the cookie.

– Zach G
Nov 22 '18 at 1:31













Strange. It's likely an issue with the order of your middlewares.

– Colin
Nov 22 '18 at 12:13





Strange. It's likely an issue with the order of your middlewares.

– Colin
Nov 22 '18 at 12:13












1 Answer
1






active

oldest

votes


















0















Express server is running in heroku and Client server is running in localhost.




The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



Say your application is served at express.herokuapp.com,
scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



In development, you can set Domain attribute for the cookie to be .herokuapp.com




For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



127.0.0.1       local.herokuapp.com


Visit the address alias and the client side script will read the cookie.






share|improve this answer

























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421308%2fcant-read-httponly-false-cookie%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0















    Express server is running in heroku and Client server is running in localhost.




    The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



    Say your application is served at express.herokuapp.com,
    scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



    However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



    In development, you can set Domain attribute for the cookie to be .herokuapp.com




    For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



    However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



    If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




    Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



    127.0.0.1       local.herokuapp.com


    Visit the address alias and the client side script will read the cookie.






    share|improve this answer






























      0















      Express server is running in heroku and Client server is running in localhost.




      The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



      Say your application is served at express.herokuapp.com,
      scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



      However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



      In development, you can set Domain attribute for the cookie to be .herokuapp.com




      For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



      However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



      If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




      Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



      127.0.0.1       local.herokuapp.com


      Visit the address alias and the client side script will read the cookie.






      share|improve this answer




























        0












        0








        0








        Express server is running in heroku and Client server is running in localhost.




        The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



        Say your application is served at express.herokuapp.com,
        scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



        However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



        In development, you can set Domain attribute for the cookie to be .herokuapp.com




        For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



        However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



        If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




        Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



        127.0.0.1       local.herokuapp.com


        Visit the address alias and the client side script will read the cookie.






        share|improve this answer
















        Express server is running in heroku and Client server is running in localhost.




        The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



        Say your application is served at express.herokuapp.com,
        scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



        However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



        In development, you can set Domain attribute for the cookie to be .herokuapp.com




        For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



        However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



        If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




        Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



        127.0.0.1       local.herokuapp.com


        Visit the address alias and the client side script will read the cookie.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 24 '18 at 10:17

























        answered Nov 24 '18 at 10:09









        Oluwafemi SuleOluwafemi Sule

        12.5k1735




        12.5k1735
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421308%2fcant-read-httponly-false-cookie%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            這個網誌中的熱門文章

            Xamarin.form Move up view when keyboard appear

            Post-Redirect-Get with Spring WebFlux and Thymeleaf

            Anylogic : not able to use stopDelay()