Can't read 'httpOnly: false' Cookie











up vote
0
down vote

favorite












I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res

      .status(200)

      .cookie('id_token', token, {

        httpOnly: false,

        path: '/',

        secure: false,

        maxAge: 400000

      })

      .json({

        token: token

      });





reactjs express cookies







share|improve this question






















  • 1.) What's your React code? 2.) Are you using the cors package on server?
    – Colin
    Nov 21 at 23:35










  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
    – Zach G
    Nov 22 at 1:28












  • On the server I'm just using what's build into express to set the cookie.
    – Zach G
    Nov 22 at 1:31










  • Strange. It's likely an issue with the order of your middlewares.
    – Colin
    Nov 22 at 12:13















up vote
0
down vote

favorite












I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res

      .status(200)

      .cookie('id_token', token, {

        httpOnly: false,

        path: '/',

        secure: false,

        maxAge: 400000

      })

      .json({

        token: token

      });





reactjs express cookies







share|improve this question






















  • 1.) What's your React code? 2.) Are you using the cors package on server?
    – Colin
    Nov 21 at 23:35










  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
    – Zach G
    Nov 22 at 1:28












  • On the server I'm just using what's build into express to set the cookie.
    – Zach G
    Nov 22 at 1:31










  • Strange. It's likely an issue with the order of your middlewares.
    – Colin
    Nov 22 at 12:13













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res

      .status(200)

      .cookie('id_token', token, {

        httpOnly: false,

        path: '/',

        secure: false,

        maxAge: 400000

      })

      .json({

        token: token

      });





reactjs express cookies







share|improve this question













I have an express server that has written a cookie, but I can not access it from the client side. I can see it in the Chrome dev tools, it is NOT marked as being httpOnly or Secure, yet when I try to access it via my React app or even just by typing document.cookie in the browser console, I get nothing.



Right now the express server is running on Heroku, and my client side is localhost.



I'm stumped.



Here is my server side code that is setting the cookie:



return res

      .status(200)

      .cookie('id_token', token, {

        httpOnly: false,

        path: '/',

        secure: false,

        maxAge: 400000

      })

      .json({

        token: token

      });





reactjs express cookies




reactjs express cookies






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 21 at 22:26









Zach G

41




41












  • 1.) What's your React code? 2.) Are you using the cors package on server?
    – Colin
    Nov 21 at 23:35










  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
    – Zach G
    Nov 22 at 1:28












  • On the server I'm just using what's build into express to set the cookie.
    – Zach G
    Nov 22 at 1:31










  • Strange. It's likely an issue with the order of your middlewares.
    – Colin
    Nov 22 at 12:13


















  • 1.) What's your React code? 2.) Are you using the cors package on server?
    – Colin
    Nov 21 at 23:35










  • I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
    – Zach G
    Nov 22 at 1:28












  • On the server I'm just using what's build into express to set the cookie.
    – Zach G
    Nov 22 at 1:31










  • Strange. It's likely an issue with the order of your middlewares.
    – Colin
    Nov 22 at 12:13
















1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 at 23:35




1.) What's your React code? 2.) Are you using the cors package on server?
– Colin
Nov 21 at 23:35












I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 at 1:28






I'm using 'universal-cookie' const cookies = new Cookies(); const token = await cookies.get('id_token');
– Zach G
Nov 22 at 1:28














On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 at 1:31




On the server I'm just using what's build into express to set the cookie.
– Zach G
Nov 22 at 1:31












Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 at 12:13




Strange. It's likely an issue with the order of your middlewares.
– Colin
Nov 22 at 12:13












1 Answer
1






active

oldest

votes

















up vote
0
down vote














Express server is running in heroku and Client server is running in localhost.




The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



Say your application is served at express.herokuapp.com,
scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



In development, you can set Domain attribute for the cookie to be .herokuapp.com




For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



127.0.0.1       local.herokuapp.com


Visit the address alias and the client side script will read the cookie.






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421308%2fcant-read-httponly-false-cookie%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote














    Express server is running in heroku and Client server is running in localhost.




    The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



    Say your application is served at express.herokuapp.com,
    scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



    However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



    In development, you can set Domain attribute for the cookie to be .herokuapp.com




    For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



    However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



    If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




    Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



    127.0.0.1       local.herokuapp.com


    Visit the address alias and the client side script will read the cookie.






    share|improve this answer



























      up vote
      0
      down vote














      Express server is running in heroku and Client server is running in localhost.




      The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



      Say your application is served at express.herokuapp.com,
      scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



      However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



      In development, you can set Domain attribute for the cookie to be .herokuapp.com




      For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



      However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



      If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




      Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



      127.0.0.1       local.herokuapp.com


      Visit the address alias and the client side script will read the cookie.






      share|improve this answer

























        up vote
        0
        down vote










        up vote
        0
        down vote










        Express server is running in heroku and Client server is running in localhost.




        The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



        Say your application is served at express.herokuapp.com,
        scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



        However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



        In development, you can set Domain attribute for the cookie to be .herokuapp.com




        For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



        However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



        If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




        Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



        127.0.0.1       local.herokuapp.com


        Visit the address alias and the client side script will read the cookie.






        share|improve this answer















        Express server is running in heroku and Client server is running in localhost.




        The cookie set in the Express server is scoped to the current host when Domain for the cookie isn't set. [1]



        Say your application is served at express.herokuapp.com,
        scripts can only read it when they're running in the same host. i.e. express.herokuapp.com



        However, with cookie scopes cookie set on a domain can be read by scripts running in a subdomain.



        In development, you can set Domain attribute for the cookie to be .herokuapp.com




        For production, I strongly suggest to explicitly scope the cookie to the client domain. While you can apply the same process as development if client and server are running in different subdomains. You should only do this if other client apps running in other subdomains share cookies.



        However if both client and server are going to be running in the same domain, I suggest to keep the default cookies scope.



        If client and server are running in different domains, I strongly suggest to explicitly scope the cookie to the client domain.




        Then add the following entry in your /etc/hosts to alias localhost to a subdomain of herokuapp.com



        127.0.0.1       local.herokuapp.com


        Visit the address alias and the client side script will read the cookie.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 24 at 10:17

























        answered Nov 24 at 10:09









        Oluwafemi Sule

        10.2k1330




        10.2k1330






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421308%2fcant-read-httponly-false-cookie%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            What visual should I use to simply compare current year value vs last year in Power BI desktop

            Image
            0 I have column SubToBind that shows current year ratio and column PY SubToBind which shows previous year ratio. How can I simply create a card that would be displaying them both in a nice way? Something like that: I cannot achieve that with regular card, I also tried Card with States by OKViz but also unable to see both values. In KPI visual - I dont like the word "Goal", it will confuse end users. Are there any cards or other visuals that would do the job? Thanks powerbi dax powerbi-embedded share | improve this question edited Jun 11 '18 at 20:11 Oleg
            Read more

            Alexandru Averescu

            Image
            Alexandre Averescu Alexandru Averescu Naissance 3 avril 1859 Babele, Ismail  (ro) près de Izmaïl (principauté de Moldavie) Décès 2 octobre 1938 (à 79 ans) [ 1 ] Bucarest Origine   Roumanie Arme cavalerie Grade Maréchal Années de service 1901-1917 Commandement chef d'état-major général 2 e  armée 3 e  armée Groupe d'armée sud armée du Danube Conflits Guerre russo-turque de 1877-1878 Deuxième guerre balkanique Première Guerre mondiale Faits d'armes Bataille de Turtucaia/Tutrakan Bataille de Mărăști Distinctions Autres fonctions 3 fois président du Conseil des ministres ministre des Affaires étrangères ministre sans portefeuille conseiller de la Couronne modifier   Alexandre Averescu (en roumain : Alexandru Averescu .mw-parser-output .prononciation>a{background:url("//upload.wikimedia.org/wikipedia/commons/thumb/8/8a/Loudspeaker.svg/11px-Loudspeaker.svg.png")center
            Read more

            Trompette piccolo

            Image
            Ne doit pas être confondu avec trompette de poche. Trompette piccolo en si bémol, avec des branches d'embouchure différentes pour le si bémol (la plus courte) ou la (la plus longue) Trompette piccolo La trompette piccolo est la plus petite de la famille des trompettes. Elle joue une octave plus haut que la trompette standard en si bémol. La plupart des trompettes piccolo sont conçues pour jouer dans les deux tonalités de si bémol ou la, en utilisant une branche d'embouchure différente pour chaque tonalité. Le tube de la trompette piccolo en si bémol a une longueur moitié de celle de la trompette normale en si bémol. Des trompettes piccolo en sol, fa, ut sont également fabriquées, mais elles sont rares. La trompette soprano en ré, aussi connu comme la « trompette Bach », a été inventée vers 1890 par le facteur belge Victor-Charles Mahillon pour jouer les parties hautes de la trompette dans la musique de Bach et Haendel. La trompette piccolo moderne permet aux
            Read more