Cookies not being set on localhost
Hi!
I am setting my cookie on my ASP.NET Core backend:
I am running
create-react-app
on my frontend and I am receiving this cookie in response in the headers. The problem is that the cookie is not being set into cookies when inspecting it in browser and is also not being sent in next API requests.
Frontend: http://localhost:3001/login
- where request is being sent from
Backend: http://localhost:39500/account/login
- API
I tried several settings for the cookie, playing with SameSite and Secure but nothing seems to be working?
How can I make cookies work when working on localhost?42 Replies
Firefox Network tab:
are you using javascript to
fetch
the api?
i don't think fetch
will receive or send cookies by default
setting credentials: 'include'
on the request might help though 😉I was so far focusing on the backend side as I thought that may be the problem.
I am using the redux on the frontend side, I might need to set the credentials then?
the first screenshot looks like your backend sends the cookie out to the frontend already
your problem seems to be related to the frontend, right?
if you use javascript to call your backend you will have to set
credentials: 'include'
to receive/send cookies when you fetch
from your api
especially since you seem hit a api on a different origin ("localhost:3001" vs "localhost:39500")
this also means you have to setup cors or similar to allow the different origin, but since you already get a response this doesnt seem to be the problem, i think 🤷♂️After adding the credentials: 'include' to headers there is no change :/
@Natro AFAIK, if you're calling an API it wouldn't set cookies automatically. You need to do it from the front-end.
This answer seems to be what you're looking for: https://stackoverflow.com/a/44620057/68693
Stack Overflow
ReactJS How To Set Cookie From Fetch Request to Back End
I have a react front end that is talking to a Node Back End. I am able to make requests and such . However, I noticed that I cannot set the cookie that I am getting back. My back end will respond u...
I have httponly cookie though so I will not be able to handle it right?
Also it should be saved automatically afaik?
Just to be clear: You navigate to an url, http://localhost:3001/login, this loads your app and from the app you call an API endpoint, http://localhost:39500/account/login, right?
Yes exactly this
so the 39500 is my ASP.NET Core backend
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
In my experience, credentials and
Access-Control-Allow-Origin
set to wildcard (*
) don't play well. Try setting it to http://localhost:39500/
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
My frontend is on
http://localhost:3000/
though, so I did the following:Raw headers:
Response headers
Request headers
Weirdly I am always getting the following warnings even after deleting cookies and cache for the website:
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Yes
The answer is already on screen.
Work with SameSite cookies in ASP.NET Core
Learn how to use to SameSite cookies in ASP.NET Core
Updated to following but I still receive the same warning after getting cookie response from backend and it's still not being stored :/
Did you look up every property you changed what it does? :p
Secure = True
means that you can only access the cookie in HTTPS
My frontend is on http://localhost:3000/
though
So I'm not sure if this worksIncluding credentials needs to be set as part of the fetch options, it's not a request header.
What do you mean by that?
When I am fetching I set
credentials: include
on request headers, is this that?No.
I tried SameSite.Lax wit Secure = False and it didnt work as well
But fair point
fetch() - Web APIs | MDN
The global fetch() method starts the process of fetching a
resource from the network, returning a promise which is fulfilled once the response is
available.
See: credentials
Lax is the default one
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
Cookies are not sent on normal cross-site subrequests
The Strict doesn't work as well though?
I believe it's the credentials header
It's not. Where are you making the POST request?
I am making the POST Request in my React App using Redux (RTK-Q) if that's what u are asking me
It's using fetch underneath
The option needs to be provided to fetch.
It's not a request header.
I have no clue what RTK-Q is but looking at the documentation it would appear you're able to provide the option in your
query
(as per https://redux-toolkit.js.org/rtk-query/api/fetchBaseQuery)Note that those examples contain a more common example of authentication: https://redux-toolkit.js.org/rtk-query/api/fetchBaseQuery#setting-default-headers-on-requests
fetchBaseQuery | Redux Toolkit
RTK Query > API: fetchBaseQuery reference
Oh my god
Thank you so much
this just solved my headache I've been having for weeks
I thought setting it as header is the same
Because someone pointed me in that direction
Request headers are just bits of text that get sent in the HTTP request, they can't control what other headers are sent.
But you're welcome anyhow.