Search code examples
javascriptcookiescorssetcookie

Why are Cookies not being set in request headers?

I am updating the authorization process on an old Symfony REST API / AngularJS App combo.

On authentication, the server provides cookies, containing a couple of token to be stored on the browser so that they are added as headers in subsequent requests - pretty standard - but the cookies headers are not being included in the following requests since the deployment to my test server.

Everything works fine in local, so I assume I am missing some security config somewhere in my request/response headers.

A few notes:

  • The API and the app are are on the same domain but different sub domains
  • Both of the subdomains use HTTPS
  • mydomain.com is not in the public suffix list
  • The cookie
    • secure flag is set
    • SameSite option is set to strict
    • path option set to / so all the routes of my API should be hit
    • domain option set to mydomain.com. If I understand correctly, it should allow the cookies to be set for all mydomain.com subdomains.
  • Requests include the withcredentials header
  • Responses include the access-control-allow-credential header

In the DevTools, this is what the login request looks like:

General
----------
Request URL: https://subdomain1.mydomain.com/login
Request Method: GET
Status Code: 200 
Remote Address: xxx.xxx.xxx.xxx:xxx
Referrer Policy: strict-origin-when-cross-origin

Response Headers
----------
access-control-allow-credentials: true
access-control-allow-origin: https://subdomain2.mydomain.com
cache-control: private, must-revalidate
content-encoding: br
content-type: application/json
date: Sat, 04 Mar 2023 01:39:21 GMT
expires: -1
host-header: 6b7412fb82ca5edfd0917e3957f05d89
pragma: no-cache
server: nginx
set-cookie: BEARER=<JWT_TOKEN>; expires=Sat, 04-Mar-2023 02:39:21 GMT; Max-Age=3600; path=/; domain=mydomain.com; secure; httponly; samesite=strict
set-cookie: refresh_token=<REFRESH_TOKEN>; expires=Mon, 03-Apr-2023 01:39:21 GMT; Max-Age=2592000; path=/token; domain=mydomain.com; secure; httponly; samesite=strict
vary: Accept-Encoding
vary: Authorization
x-httpd: 1
x-proxy-cache: MISS
x-proxy-cache-info: 0 NC:000000 UP:SKIP_CACHE_SET_COOKIE
x-robots-tag: noindex

Request Headers
----------
:authority: subdomain1.mydomain.com
:method: GET
:path: /login
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-CA,en;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-GB;q=0.6,en-US;q=0.5
authorization: <ACCESS TOKEN>
cache-control: no-cache
origin: https://subdomain2.mydomain.com
pragma: no-cache
referer: https://subdomain2.mydomain.com/
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
withcredentials: true

I read dozen of other questions with the same kind of problem but I still can't figure out where I am messing up. Some help would be greatly appreciated.

Solution

  • withcredentials isn't an HTTP header.

    withCredentials is a property of the XMLHttpRequest object

    The fetch API uses the credentials option instead.