Search code examples
expresscookieshttponlycookie-httponly

What is the point of http-only cookies and how to make your authentication secure?


EDIT: Incorrect question. I was getting only an empty object at the backend due to misconfiguration. I thought it was a part of HTTP-ONLY to make cookies inaccessible. (I cannot delete the question)

Problem:

In my Express server I set an http-only cookie.

res.cookie("hiddenCookie", <value>, { httpOnly: true, ...<fields> });

Then of course, we cannot access it via JavaScript in the client side as expected.

Now if I send a new request, the cookie is only an empty object.

console.log(req.cookies); // Logged Value: { hiddenCookie: {} }

Maybe because I also cannot access it via JavaScript?

But, I want to access that cookie from the server to implement an auto log-in.


My step-by-step plan for auto login:

  1. Set refreshToken as http-only and lives for 7 days and accessToken that lives for 5 minutes in the cookies.
  2. If accessToken is invalid, server checks for refreshToken in the cookies.
  3. If refreshToken is valid, automatically issue a new accessToken and refreshToken so that you will only have to explicitly log in if inactive for 7 days straight.

Why this?

accessToken is the main identifier for the user. It can be accessed by the client. To avoid repeated sign-in due to session expiration, I made another token (refreshToken) which lives long and is meant as the second identifier for the user and is not accessible in the client side.


Question:

Is there a way to communicate to it that the refreshToken should reveal itself to the server because it is created here, but not to anyone else?

If the question above is not possible because http-only cookies are not meant to be accessible via JavaScript, where can I store the user's second identifier?

Or maybe simplify everything and just use one token?

I really don't know. Your help is greatly appreciated!


Solution

  • If you want to recieve the httpOnly cookie on your server, when you make a request to the server from the client page, you enable the withCredentials (for XMLHttpRequest) or { credentials:"include" } (for fetch). The cookie will be sent to the server without the javascript code being able to see it.

    MDN Documentation source