I am creating rest api for my app. The frontend is on localhost:3001 and backend is PHP Slim on localhost:8000. I am trying to set cookies with respond on request for sign up. I am using https://github.com/dflydev/dflydev-fig-cookies for cookies and this is how code looks like:
public function postSignUp(Request $request, Response $response)
{
$body = $request->getParsedBody();
/**
* code for creating user
*/
$result = $this->auth->authenticate($body['email'], $body['password']);
$token = $this->auth->generateAccessToken($this->auth->user);
$refreshToken = $this->auth->generateRefreshToken();
$response = $response->withStatus(201)->withJson(['message' => 'success']);
$response = FigResponseCookies::set($response, SetCookie::create('refresh_token')
->withValue($refreshToken['refresh_token'])
->withDomain('localhost')
->withPath('/')
->withExpires($refreshToken['expiration'])
->withHttpOnly());
return $response;
}
And this is headers which I get on the client:
Response Headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST,OPTIONS
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json
Date: Thu, 28 May 2020 14:25:33 GMT
Server: nginx/1.17.10
Set-Cookie: refresh_token=5ecfc9dd79a504.09760437; Domain=localhost; Path=/; Expires=Thu, 11 Jun 2020 14:25:33 GMT; HttpOnly
Transfer-Encoding: chunked
X-Powered-By: PHP/7.4.4
Request Headers:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,ru-UA;q=0.8,ru;q=0.7,zh-CN;q=0.6,zh;q=0.5,en-US;q=0.4,uk;q=0.3
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 96
Content-Type: application/json
Host: localhost:8000
Origin: http://localhost:3001
Pragma: no-cache
Referer: http://localhost:3001/sign-up
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
As you see there is Set-Cookie: refresh_token=5ecfc9dd79a504.09760437; Domain=localhost; Path=/; Expires=Thu, 11 Jun 2020 14:25:33 GMT; HttpOnly
header but in tab application cookies nothing appeares.