cookiessveltekit
Cookie not set when calling API from Sveltekit server action
I have a simple ASP.NET API which exposes a login endpoint that returns a session cookie upon succesful authentication. As expected, when I call this API from the client side (Sveltekit application) I receive the cookie and everything works as expected:
// +page.svelte
<script>
const handleSubmit = async (event) => {
await fetch("http://localhost:5052/auth/login", {
method: 'POST',
credentials: 'include',
})
}
</script>
<form method="POST" on:submit|preventDefault={handleSubmit}>
...
</form>
Submitting the form sends the request and returns the cookie:
The problem occurs when I try to call this login API from a Sveltekit form action:
// +page.svelte
<script>
import { enhance } from '$app/forms';
<script>
<form method="POST" use:enhance>
...
</form>
// +page.server.ts
import type { Actions } from "./$types";
export const actions = {
default: async ({ fetch, request }) => {
await fetch("http://localhost:5052/auth/login", {
method: 'POST',
credentials: 'include',
})
}
} satisfies Actions;
The response from the server action does not contain any Set-Cookie header and the client will not receive any cookies. Could somebody tell me what I'm missing here?
Solution
The request is being processed in the SvelteKit server, so the browser never gets the cookie. There are probably various valid options:
- Forward the response directly via a
+server.tsendpoint - Forward it via a hook
- Process the response and set cookies in the form action (form actions do not return full
Responseobjects, so you cannot just forward the response)
For the last option, it would look something like this:
export const actions = {
default: async ({ fetch, cookies }) => {
const response = await fetch("http://localhost:5052/auth/login", {
method: 'POST',
credentials: 'include',
});
// [error handling here]
const cookie = response.headers.get('set-cookie');
const token = getCookieToken(cookie); // [implement this]
cookies.set('session_id', token);
}
} satisfies Actions;
- Issue with Setting Multiple Cookies in ESP32 Web Server Response
- httpOnly cookie with React NodeJS not sending cookie to server by applying the network IP address
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- How do I use window.fetch() with httpOnly cookies or basic auth
- Graphql Set-Cookie being sent but not being set
- How to Delete a Cookie in a Next.js 14 Middleware After External API Validation
- Protect the app from bypassing the root detection (Frida Server)
- Refresh token coming from Nest.js as cookie does not get persisted after refresh
- Where to store the refresh token on the Client?
- Next.js 15: Error setting cookies in server action
- Setting cookie from java spring boot rest API to angular
- Correct way to delete cookies server-side
- Browser ignoring Set-Cookie
- How to Properly Set Up Auth Middleware in Nuxt 3 with Node.js Backend?
- How do I store a cookie recording if a user clicked a button, using JavaScript?
- Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
- How does Double Submit Cookie Pattern Prevent against CSRF attacks?
- Curl cookie authentication
- Set-Cookies Header not setting the cookie
- Why CSRF token should be in meta tag and in cookie?
- I can't receive `httponly` cookie on `localhost` HTTPS back end
- How to get cookie value in expressjs
- Cookie with Max-Age = 0 and Expire = session survived after HTTP redirect?
- Sending custom cookies (and viewing the ones set naturally) with Perl's WWW::Mechanize
- Cookies headers are present but Cookies are not stored in browser
- Django HTTP response always sets `sessionid` cookie and session data do not persist
- How to delete a cookie in FastHTML?
- How to disable cookies in Django manually
- How to delete cookie with Django in Docker?
- Unable to set/get/delete cookies in Next.js 15 route handlers using the Cookies API?