All geek questions in one place

HttpOnly cookies are not sent on request

I want to use HttpOnly cookies, and I installed it in Java as follows:

 ... Cookie accessTokenCookie = new Cookie("token", userToken); accessTokenCookie.setHttpOnly(true); accessTokenCookie.setSecure(true); accessTokenCookie.setPath("/"); response.addCookie(accessTokenCookie); Cookie refreshTokenCookie = new Cookie("refreshToken", refreshToken); refreshTokenCookie.setHttpOnly(true); refreshTokenCookie.setSecure(true); refreshTokenCookie.setPath("/"); response.addCookie(refreshTokenCookie); ...

I received a response on the client side using cookies, but when I send the next request, I do not have cookies in the request. Maybe I missed something, but as I understand it, these HttpOnly cookies should be sent by the browser on every request (JavaScript does not have access to these cookies), which goes to a certain path.

I have the following headers:

 Accept:application/json, text/plain, */* Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.8,hu;q=0.6,ro;q=0.4,fr;q=0.2,de;q=0.2 Authorization:Basic dXNlcm5hbWU6cGFzc3dvcmQ= Connection:keep-alive Content-Length:35 content-type:text/plain Host:localhost:8080 Origin:http://localhost:4200 Referer:http://localhost:4200/ User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 X-Requested-With:XMLHttpRequest

and the following response headers:

 Access-Control-Allow-Credentials:true Access-Control-Allow-Origin:http://localhost:4200 Access-Control-Expose-Headers:Access-Control-Allow-Origin, Content-Type, Date, Link, Server, X-Application-Context, X-Total-Count Cache-Control:no-cache, no-store, max-age=0, must-revalidate Content-Length:482 Content-Type:application/json;charset=ISO-8859-1 Date:Fri, 03 Feb 2017 13:11:29 GMT Expires:0 Pragma:no-cache Set-Cookie:token=eyJhbGciO;Max-Age=10000;path=/;Secure;HttpOnly Set-Cookie:refreshToken=eyJhb8w;Max-Age=10000;path=/;Secure;HttpOnly Vary:Origin

Also on the client side, I use withCredentials: true in Angular2 and X-Requested-With:XMLHttpRequest as the request header.

And this is Cross Domain.

+5
source share
1 answer

Yes, you are using cookies correctly, the browser should automatically send cookies until it expires, and the httpOnly flag means that it cannot be accessed or processed using JavaScript.

but

You need to make sure that the cookie you are sending is not a cross domain, if you need a cross domain, you will need to handle it differently.

+1
source

Source: https://habr.com/ru/post/1263768/

More articles:


All Articles