HttpOnly cookies not sent by request

Question

I want to use HttpOnly cookies and I set it in Java as follows:

...

Cookie accessTokenCookie = new Cookie("token", userToken);
accessTokenCookie.setHttpOnly(true);
accessTokenCookie.setSecure(true);
accessTokenCookie.setPath("/");
response.addCookie(accessTokenCookie);
Cookie refreshTokenCookie = new Cookie("refreshToken", refreshToken);
refreshTokenCookie.setHttpOnly(true);
refreshTokenCookie.setSecure(true);
refreshTokenCookie.setPath("/");
response.addCookie(refreshTokenCookie);

...

I got the client side the response with the cookies, but when I send the next request I do not have the cookies on the request. Maybe I miss something, but as I understood, these HttpOnly cookies has to be sent by the browser back on every request (JavaScript does not have access to those cookies) coming to the defined path.

I have the following Request Headers:

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,hu;q=0.6,ro;q=0.4,fr;q=0.2,de;q=0.2
Authorization:Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Connection:keep-alive
Content-Length:35
content-type:text/plain
Host:localhost:8080
Origin:http://localhost:4200
Referer:http://localhost:4200/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36
X-Requested-With:XMLHttpRequest

and the following response headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:4200
Access-Control-Expose-Headers:Access-Control-Allow-Origin, Content-Type, Date, Link, Server, X-Application-Context, X-Total-Count
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:482
Content-Type:application/json;charset=ISO-8859-1
Date:Fri, 03 Feb 2017 13:11:29 GMT
Expires:0
Pragma:no-cache
Set-Cookie:token=eyJhbGciO;Max-Age=10000;path=/;Secure;HttpOnly
Set-Cookie:refreshToken=eyJhb8w;Max-Age=10000;path=/;Secure;HttpOnly
Vary:Origin

Also in the client side I use withCredentials: true in Angular2 and X-Requested-With:XMLHttpRequest as request header.

And it is Cross Domain.

Hi !! I have faced a same issue. When I removed HTTP only flag then it works. Have you found any other work around ? — Nirav Shah, Oct 04 '17 at 08:59
By removing the Secure flag from cookies, resolved the problem — István, Oct 05 '17 at 09:11

score 4 · Accepted Answer · answered Feb 03 '17 at 06:58

4

Yes you are correct having the cookie your browser should send the cookie automatically while it is not expired and the httpOnly flag means it cannot be accessed or manipulated via JavaScript.

However

You need to ensure that the cookie you are sending is not cross domain, if you require it cross domain you will need to handle it differently.

answered Feb 03 '17 at 06:58

Robert Leggett

942
1
8
22

Yes it's a cross domain cookie, how do I have to handle it? – István Feb 03 '17 at 06:59
Personally for your situation I would use JWT and headers but if you must use cross domain cookies try http://stackoverflow.com/questions/3342140/cross-domain-cookies – Robert Leggett Feb 03 '17 at 07:15
1

by removing the `Secure` flag from cookies, resolved the problem – István Feb 03 '17 at 14:22

HttpOnly cookies not sent by request

1 Answers1