Search code examples
cookiesjwtcross-domainsession-cookieschromium

Session cookies working successfully in Postman, not Chrome

This is my first time messing around with session cookies and I'm having a pretty hard time. I'd really appreciate any help!

I'd like to note:

  • I'm experiencing all of these issues locally on Chrome
  • I have absolutely no issue receiving the cookie and authenticating the request using Postman. It's Chrome that doesn't set the cookie.

The Server

My server is running on http://localhost:7000/

I'm sending cookies to the client from the server by setting the Set-Cookie header like so:

val cookie = """jwt=$token; Path=/; Domain=localhost; Max-Age=86400; Expires=Thu, 19 Aug 2021 12:20:23 GMT; SameSite=Strict;"""

ctx.header("Set-Cookie", cookie)

I also have cors set up:

it.header(Header.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")
it.header(Header.ACCESS_CONTROL_ALLOW_METHODS, "*")
it.header(Header.ACCESS_CONTROL_ALLOW_HEADERS, "*")

The Front End

My F.E is running on http://localhost:3000/

Here's what an auth request/response looks like: enter image description here

Here's what one of the failed requests looks like. Notice how there is no cookie set: enter image description here

I've also noticed that the cookie does not show up in Chrome's Cookies in use view: enter image description here

My Understanding

From what I understand, I can use SameSite=Strict since both FE & BE are running locally on localhost.

When I move into production, FE & BE will not be on the same domain. Then, I'd have to use SameSite=None; Strict. Is this correct?

Also, I'm aware that I can also include HttpOnly, but I'm not at the moment for debugging purposes.

Is my understanding correct?

Thanks!

Thanks in advance for any help you might be able to provide, it's greatly appreciated!

Solution

  • I wasn't properly setting credentials: include 🤦