R
Railway•2y ago
blazu.g

httpOnly cookies not being set in production using koa

Hi, I'm trying to set httponly cookies in my koajs app but to no avail I have a custom domain in railway server.myapp.com Cookies options:
const domain = config.MY_APP_ENV === 'production' ? 'myapp.com' : undefined;

const options = {
domain,
httpOnly: true,
secure: config.MY_APP_ENV !== 'development',
sameSite: 'lax',
path: '/',
maxAge,
};

context.ctx.cookies.set(COLLECTION_SESSION_COOKIE, token, options);
const domain = config.MY_APP_ENV === 'production' ? 'myapp.com' : undefined;

const options = {
domain,
httpOnly: true,
secure: config.MY_APP_ENV !== 'development',
sameSite: 'lax',
path: '/',
maxAge,
};

context.ctx.cookies.set(COLLECTION_SESSION_COOKIE, token, options);
11 Replies
Percy
Percy•2y ago
Please provide your project ID or reply with N/A. Thread will automatically be closed if no reply is received within 10 minutes. You can copy your project's id by pressing Ctrl/Cmd + K -> Copy Project ID.
Percy
Percy•2y ago
⚠️ experimental feature
Percy
Percy•2y ago
No project ID was provided. Closing thread.
blazu.g
blazu.g•2y ago
N/A I already treid to remove domain option
Ray
Ray•2y ago
A few thoughts on why it's failing: * Does your MY_APP_ENV on Railway have its value set to production? If not, your domain would be undefined * Have you tried changing the domain to server.myapp.com, or using a wildcard (.myapp.com) as the domain? * What are your access-control-allow-* settings? This is considered a cross-origin request so there may be something else required to make this work. * Do you have proxy=true in your Koa server, so that Koa can accept headers from Railway's proxy? (https://koajs.com/#settings) * What do you see set-cookie response header? It should have a domain=.myapp.com; path=/; secure; samesite=lax; httponly at minimum (judging from your cookie options)
Have you tried changing the domain to server.myapp.com, or using a wildcard (.myapp.com) as the domain? Do you have proxy=true in your Koa server, so that Koa can accept headers from Railway's proxy? (https://koajs.com/#settings)
Try these first 🙂
blazu.g
blazu.g•2y ago
sure, I will try it today my app domain is app.myapp.com, does it make sense to set the cookie domain to server.myapp.com?
Ray
Ray•2y ago
I’d recommend using “.myapp.com” as the cookie domain for that setup If you’re setting the cookie from server.myapp.com, I don’t think app.myapp.com has access to that. They’re technically treated as different domains, so a cross origin set-cookie won’t work unless the cooke is set for .myapp.com Just remember that browsers can be pedantic about hostnames (FQDNs to be clear, and for very good reasons!) - myapp.com is not server.myapp.com or app.myapp.com & about your Railway deployment, make sure you have Koa set up to respect proxied headers - Railway proxies requests from the internet to your Koa server; Koa discards some headers for security reasons (if I recall correctly!)
blazu.g
blazu.g•2y ago
what is the difference between .myapp.com and myapp.com? I'm not using { proxy: true } in my Koa server Let me try it
blazu.g
blazu.g•2y ago
Ray
Ray•2y ago
Stack Overflow
How do browser cookie domains work?
Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences. In other...
Ray
Ray•2y ago
do you happen to know where this is coming from?
Want results from more Discord servers?
Add your server