1

I'm using the Golang http library to set and return a jwt cookie to the client on successful login, like so:

cookie := &http.Cookie{
    Name:   "jwt",
    Value:  "XXXXXXXX",
    Domain: "irisvr-dev.com",
}
http.SetCookie(p_w, cookie)

I first send a request from https://irisvr.com to https://api.irisvr.com: 

authority: api.irisvr-dev.com
method: POST
path: /v3/auth/user/login
scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,ko-KR;q=0.8,ko;q=0.7
content-length: 57
content-type: application/json
origin: https://irisvr-dev.com
referer: https://irisvr-dev.com/login
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

And the server responds as expected:

access-control-allow-credentials: true
access-control-allow-headers: X-Requested-With,Content-Type,Authorization,Iris-User-Id
access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE
access-control-allow-origin: *
alt-svc: clear
content-length: 380
content-type: application/json
date: Fri, 09 Nov 2018 15:27:12 GMT
set-cookie: jwt=XXXXXXXX; Domain=irisvr-dev.com // <-------- here
status: 200
via: kong/0.14.0, 1.1 google
x-kong-proxy-latency: 1
x-kong-upstream-latency: 50

However, inspecting Document.cookie and/or expanding the Cookies tab in dev tools does not display the jwt being set. I definitely have cookies enabled, as you can see some other third party plugins setting them successfully:

enter image description here

What am I missing here?

robinnnnn
  • 1,495
  • 1
  • 13
  • 28
  • 1
    Make sure [withCredentials](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials) is enabled; else the client ignores cookies. – Peter Nov 09 '18 at 15:54
  • What makes you think that api.irisvr.com accepts cookies with a domain of irisvr-dev.com? If that would be possible it would be a security nightmare. You send a cookie which _must_ _not_ be accepted and you wonder why it is not accepted? – Volker Nov 09 '18 at 16:17
  • @Volker setting the domain to irisvr-dev.com allows cookie sharing [across subdomains](https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain) – robinnnnn Nov 09 '18 at 16:20
  • 2
    If the path is not set in the set-cookie header, then the client uses the request path as the cookie path. Set the cookie path to "/" on the server. – Cerise Limón Nov 09 '18 at 17:10
  • @robinnnnn I actually do know how the domain attribute is used in a cookie and I can assure you that a browser will not accept a cookie with a "different" (the rules are complicated) domain: A server with domain api.irisrv.com may not set cookies with domain irisvr-dev.com. Maybe my first comment was unclear in this regard. – Volker Nov 10 '18 at 15:59

0 Answers0