I am trying to do something supposedly simple and easy: set a cookie! But the browser (Chrome and Safari tested) is simply ignoring them. So the response headers look like:
Access-Control-Allow-Credentials:true Access-Control-Allow-Origin:* Connection:keep-alive Content-Encoding:gzip Content-Type:application/json; charset=utf-8 Date:Wed, 19 Jul 2017 04:51:51 GMT Server:nginx Set-Cookie:UserAuth=<some jwt>; Path=/; Domain=10.10.1.110; Expires=Wed, 19 Jul 2017 12:51:51 GMT; HttpOnly; Secure Transfer-Encoding:chunked Vary:Origin The request does include withCredentials=true. But the cookies section in Chrome is empty. I've tried removing the domain altogether, removing the path, every configuration I can think of, but the browser just won't play ball.
What am I missing?
2 Answers
Answers 1
Your cookie showing HttpOnly; Secure;
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie
The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
Cookies will be interrupted if travel through HTTP with secure flag in TLS layer. So check your preference and set the configuration of cookies accordingly.
Answers 2
If you don't use HTTPS for 10.10.1.110 then don't use secure for set-cookie header. I tested: it works fine without secure attribute.
Set-Cookie:UserAuth=<some jwt>; Path=/; Domain=10.10.1.110; Expires=Wed, 19 Jul 2017 12:51:51 GMT; HttpOnly I find this note in the MDN:
Note: Insecure sites (http:) can't set cookies with the "secure" directive anymore (new in Chrome 52+ and Firefox 52+).
0 comments:
Post a Comment