R
Railway•16mo ago
blazu.g

httpOnly cookies not being set in production using koa

Hi, I'm trying to set httponly cookies in my koajs app but to no avail I have a custom domain in railway server.myapp.com Cookies options: 
const domain = config.MY_APP_ENV === 'production' ? 'myapp.com' : undefined;

    const options = {
      domain,
      httpOnly: true,
      secure: config.MY_APP_ENV !== 'development',
      sameSite: 'lax',
      path: '/',
      maxAge,
    };

    context.ctx.cookies.set(COLLECTION_SESSION_COOKIE, token, options);
const domain = config.MY_APP_ENV === 'production' ? 'myapp.com' : undefined;

    const options = {
      domain,
      httpOnly: true,
      secure: config.MY_APP_ENV !== 'development',
      sameSite: 'lax',
      path: '/',
      maxAge,
    };

    context.ctx.cookies.set(COLLECTION_SESSION_COOKIE, token, options);
11 Replies
Percy
Percy•16mo ago
Please provide your project ID or reply with N/A. Thread will automatically be closed if no reply is received within 10 minutes. You can copy your project's id by pressing Ctrl/Cmd + K -> Copy Project ID.
Percy
Percy•16mo ago
You might find these helpful: - session cookies not working - Can't login, cookie not getting set - NextAuth cookies not being set in production
⚠️ experimental feature
Percy
Percy•16mo ago
No project ID was provided. Closing thread.
blazu.g
blazu.g•16mo ago
N/A I already treid to remove domain option
Ray
Ray•16mo ago
A few thoughts on why it's failing: * Does your MY_APP_ENV on Railway have its value set to production? If not, your domain would be undefined * Have you tried changing the domain to server.myapp.com, or using a wildcard (.myapp.com) as the domain? * What are your access-control-allow-* settings? This is considered a cross-origin request so there may be something else required to make this work. * Do you have proxy=true in your Koa server, so that Koa can accept headers from Railway's proxy? (https://koajs.com/#settings) * What do you see set-cookie response header? It should have a domain=.myapp.com; path=/; secure; samesite=lax; httponly at minimum (judging from your cookie options)
Have you tried changing the domain to server.myapp.com, or using a wildcard (.myapp.com) as the domain? Do you have proxy=true in your Koa server, so that Koa can accept headers from Railway's proxy? (https://koajs.com/#settings)
Try these first 🙂
blazu.g
blazu.g•16mo ago
sure, I will try it today my app domain is app.myapp.com, does it make sense to set the cookie domain to server.myapp.com?
Ray
Ray•16mo ago
I’d recommend using “.myapp.com” as the cookie domain for that setup If you’re setting the cookie from server.myapp.com, I don’t think app.myapp.com has access to that. They’re technically treated as different domains, so a cross origin set-cookie won’t work unless the cooke is set for .myapp.com Just remember that browsers can be pedantic about hostnames (FQDNs to be clear, and for very good reasons!) - myapp.com is not server.myapp.com or app.myapp.com & about your Railway deployment, make sure you have Koa set up to respect proxied headers - Railway proxies requests from the internet to your Koa server; Koa discards some headers for security reasons (if I recall correctly!)
blazu.g
blazu.g•16mo ago
what is the difference between .myapp.com and myapp.com? I'm not using { proxy: true } in my Koa server Let me try it
blazu.g
blazu.g•16mo ago
Ray
Ray•16mo ago
https://stackoverflow.com/a/1063760
Stack Overflow
How do browser cookie domains work?
Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences. In other...
Ray
Ray•16mo ago
do you happen to know where this is coming from?
Want results from more Discord servers?
Add your server
More Posts
Setting up MinIO serviceI set up a docker-orchestrated MinIO service locally. Given there is no service template available fMultiple services on a single domainHi! I have 3 services: API (Backend), Landing that uses this API (Frontend) and a Documentation for Deploy from GitHub Repo exits without reasonThis is for a Flask app, but I could see how it could get confused. What/why?Postgresql paused after month limit restoreHi, it´s supposed that datatabases should be restored after month limit, but my databases are still Card declinedYou have an unpaid invoice. Click here to pay your invoice in order to avoid disconnection of servicLong Running ProcessI have a process that takes a little over 40 minutes to complete and have it running once a day usinPostgres using too much memoryI am being overcharged due to my postgres instance, however I cannot restart it to free the memory. Can’t find tables after loading them in from local .sql file using command lineHello, not sure if this isn’t a common pattern(I may just end up using a Docker container for this).Abnormal memory usage on Postgresql pluginHello, I'm having an abnormal memory usage on my Postgresql database Any chance you can **restart Server logs?I am wondering how to inspect the application server logs. Doing `railway logs` just tails the most