KPC
Kevin Powell - Community2mo ago
Xenon

Need Help With Cookie

I'm generating a token when the user logs in, & sending it to the browser, but the catch is cookie is present in the network tab (as a login response) But it is not getting added to the Application > Storage > Cookies So whenever I refresh, I keep getting logout as the cookie is not present in the req.cookies.COOKIE_NAME. I'm tired for 2-3 days, what is causing this problem ? 😭😭😭
No description
No description
No description
No description
31 Replies
ἔρως
ἔρως2mo ago
the cookie is only accessible over http you can see that because the H column had a checkmark
hgs
hgs2mo ago
U could put it in same origin or use proxy
ἔρως
ἔρως2mo ago
it probably won't work the cookie is http only javascript doesn't have access to it
hgs
hgs2mo ago
need some config with credentials
ἔρως
ἔρως2mo ago
that won't matter if the server sends the cookie set to http only
ἔρως
ἔρως2mo ago
if the H has a tick mark, javascript will never see it
No description
ἔρως
ἔρως2mo ago
also, the "expires" is set to "session", which means that the cookie will be lost when the browser closes i think it is gone too, if you close a tab
hgs
hgs2mo ago
Agree with session part But I think config the credentials will store cookie with HTTPonly option
ἔρως
ἔρως2mo ago
if that happens, that's a massive security issue
hgs
hgs2mo ago
I just checked my website😂
No description
ἔρως
ἔρως2mo ago
you shouldn't be able to read it from js but, it should be sent in all http requests for that domain
hgs
hgs2mo ago
I agree it
ἔρως
ἔρως2mo ago
and here:
[...] keep getting logout as the cookie is not present in the req.cookies.COOKIE_NAME.
he's trying to read the cookie from javascript which will never work which means, he relies on reading the cookie and passing it to something else to get the information
hgs
hgs2mo ago
I read it by middleware in server side
ἔρως
ἔρως2mo ago
with the http only flag, that's the only place where you can read it or manually, in the developer tools
hgs
hgs2mo ago
My site was ddos by cookie It's unsafe
ἔρως
ἔρως2mo ago
i can't see how that's possible, since cookies are supposed to be limited to 4kb unless it was a specially crafted request that goes above the 4kb and the server chokes
hgs
hgs2mo ago
bcs I didn't set limit for api calls, and someone used cookie with scripts to call apis for 3000 times in half a hour
ἔρως
ἔρως2mo ago
ah, it wasn't the cookie fault but the lack of rate limits
hgs
hgs2mo ago
emmm. thats more accurate
ἔρως
ἔρως2mo ago
but that is interesting nonetheless but, going back to the topic here op can't get the cookie in javascript because it's http only to read it, the code must run in the server, or the cookie must be sent without the http only flag
hgs
hgs2mo ago
if its nextjs. op could read it in middleware
ἔρως
ἔρως2mo ago
or send the token over in the server response as well
hgs
hgs2mo ago
u mean send token by api response?
ἔρως
ἔρως2mo ago
yes it doesn't fix the issue, but can be used as a crutch
hgs
hgs2mo ago
yep, I thought of this path before
ἔρως
ἔρως2mo ago
it's not good. but works in a pinch
hgs
hgs2mo ago
In nextjs, rewrite and middleware could solve it Its convenient
ἔρως
ἔρως2mo ago
we dont know the stack and he hasnt said anything in a long time
hgs
hgs2mo ago
let's wait...
ἔρως
ἔρως2mo ago
ive been waiting
Want results from more Discord servers?
Add your server