C
C#16mo ago
Qu-nii-sama

❔ RefreshToken and Cookies

Hi I have a bug i can't quite figure out. I am trying to persist a refresh token as a cookie on the client. When developing locally I see the refresh token in the application tab ---> cookies but when I inspect the same tab in production I can't see the key-value pair for the refresh token. backend and frontend is both on https cookieoptions httpflag and secure are set to true. samesite to none The http call for login where the refresh token is issued have the withCrendentials set to true. The Cors is also set to AllowCredentials() When i login in production environment i see the refreshToken cookie in the response header. but not in the application tab -> cookies. but the follow sub request i see the refreshtoken in the request header. How do i get the refresh token to appear in the application tab -> cookies 
    public static void AddCorsExtension(this IServiceCollection services )
    {
        var myAllowSpecificOrigins = "_myAllowSpecificOrigins";
        
        services.AddCors(options =>
        {
            options.AddPolicy(name: myAllowSpecificOrigins,
                              policy  =>
                              {
                                  policy.WithOrigins(MyAppData.Configuration["AllowedOrigins:Production"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Https"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Staging"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Dev"] ?? throw new InvalidOperationException())
                                        .AllowAnyHeader()
                                        .AllowAnyMethod()
                                        .AllowCredentials();
                              });
        });
    }
    public static void AddCorsExtension(this IServiceCollection services )
    {
        var myAllowSpecificOrigins = "_myAllowSpecificOrigins";
        
        services.AddCors(options =>
        {
            options.AddPolicy(name: myAllowSpecificOrigins,
                              policy  =>
                              {
                                  policy.WithOrigins(MyAppData.Configuration["AllowedOrigins:Production"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Https"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Staging"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Dev"] ?? throw new InvalidOperationException())
                                        .AllowAnyHeader()
                                        .AllowAnyMethod()
                                        .AllowCredentials();
                              });
        });
    }
The next method is part of login endpoint 
    private void SetRefreshTokenCookie(string newRefreshToken)
    {
        var refreshTokenCookieOptions = new CookieOptions
        {
            HttpOnly = true,              // Prevent XSS
            Secure   = true,              // Set to true to ensure cookies only sent over https
            SameSite = SameSiteMode.None, // Use none because of 3-Tier architecture - different domains 
            Expires  = DateTime.UtcNow.AddDays(int.Parse(_configuration["JWT:RefreshTokenValidityInDays"])),
            Path     = "/",
        };
        
        _httpContextAccessor.HttpContext?.Response.Cookies.Append("RefreshToken", newRefreshToken, refreshTokenCookieOptions);
    }
    private void SetRefreshTokenCookie(string newRefreshToken)
    {
        var refreshTokenCookieOptions = new CookieOptions
        {
            HttpOnly = true,              // Prevent XSS
            Secure   = true,              // Set to true to ensure cookies only sent over https
            SameSite = SameSiteMode.None, // Use none because of 3-Tier architecture - different domains 
            Expires  = DateTime.UtcNow.AddDays(int.Parse(_configuration["JWT:RefreshTokenValidityInDays"])),
            Path     = "/",
        };
        
        _httpContextAccessor.HttpContext?.Response.Cookies.Append("RefreshToken", newRefreshToken, refreshTokenCookieOptions);
    }
And lastly clientside code 
  login(payload: any) {
    console.log('login');
    return this.httpClient
      .post(`${this.url}${this.endpoint}/login`, payload, {
        observe: 'response',
        responseType: 'json',
        withCredentials: true,
      })
      .pipe(
        tap((response: HttpResponse<object>) => {
          this.handleAuthentication(response);
        })
      );
  }
  login(payload: any) {
    console.log('login');
    return this.httpClient
      .post(`${this.url}${this.endpoint}/login`, payload, {
        observe: 'response',
        responseType: 'json',
        withCredentials: true,
      })
      .pipe(
        tap((response: HttpResponse<object>) => {
          this.handleAuthentication(response);
        })
      );
  }
I need that refreshToken to appear in the cookies in production
2 Replies
Qu-nii-sama
Qu-nii-samaOP16mo ago
Alright so I did some digging apparantly , when setting the httpOnly its expected behavior not to see the refreshToken in the cookie in production. the refreshToken still get send with the sub request but my problem is that its seems like the browser is loosing that refreshToken after some time before the expirations time
Accord
Accord16mo ago
Looks like nothing has happened here. I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server