node.js-Why cookie in res headers is not set in browser?

John 2020-12-01 10:06:32

Server side check

Your setting looks fine to me.

  app.use( cors({
    credentials: true,
    origin: "http://localhost:3000",
  }));

I suggest testing your code with some API tool like POSTman which enables CORS request as default. If it works with POSTman, then your server side code has no problem.

Browser issue with CORS + Cookie

Simply, CORS request is nothing but XMLHttpRequest to different domain. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

According to the following doc, https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

In addition, this flag is also used to indicate when cookies are to be ignored in the response. The default is false. XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request. The third-party cookies obtained by setting withCredentials to true will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.

Browser will not accept/transfer cookies via CORS request(XMLHttpRequest) unless you enable it.

xhr.withCredentials = true;

Example via browser console

//from http://localhost:3000
const xhr = new XMLHttpRequest();
const url = 'http://localhost:4000/get-cookie-url';
   
xhr.open('GET', url);
xhr.withCredentials = true; // enable browser to transfer cookies
xhr.onload = function(e){
  console.log(e)
};
xhr.send();

Cookie transfer

To illustrate, cookie transfer is similar to handshake.

Both side need to initiate for handshake. If one side(server) initiates and the other(client) does not, handshake will not happen.

When Server initiates cookie transfer,

//Server response header
//Server will response with "Set-Cookie" header when browser requests
...
Set-Cookie: lirr=xxxx; ...
...

When Client(Browser) initiates cookie transfer,

//Client request header
//Client will request with "Cookie" header 
...
Cookie: lirr=xxxx; ....
...

w.k 2020-11-30 23:31:32

Through Postman I got cookies set. Good idea, thank you! Next, your links gave me some hints to look for "credentials" client side. From github.com/benawad/how-to-debug-cookies I got idea how to add "withCredentials" to my client-side. And if I add, cookies are set as needed. BUT: i don't see any difference in headers, even not in preflight ones. So practical half is solved, but theoretical is still not clear to me.

John 2020-12-01 00:28:29

@w.k , well done, it is great to hear you sorted some of it out. To illustrate, cookie transfer is very similar to handshake. I will update the above post with some details.

w.k 2020-12-01 00:48:17

I think, I got it clear after reading more about CORS: I use urql's createClient function, which uses JS Request() for HTTP requests. And Request has default 'same-origin' for credentials. If I not set it client-side to 'include', it just ignores cookies which does not have set by orginal origin. I assumed, that this info is included to the headers, but they have managed in client-side. Thank you once more, your hints lead me to solution.

John 2020-12-01 01:51:37

@w.k , awesome👍 , Thank you, your issue was good review for me as well. Since netscape time, web browser standard has been changed a lot. Also our tools/frameworks abstract underneath. Because of that, we got confused sometimes.🤣

Why cookie in res headers is not set in browser?

Server side check

Browser issue with CORS + Cookie

Example via browser console

Cookie transfer

热门帖子

热门github