i see some weird behavior with http-only cookie - if i make subsequent request, the set-cookie header sent from the backend is not sent properly on the next request.
for example i tried it even via chrome dev tools console:
for (let i=0 ; i<10 ; i++) {
setTimeout(()=>fetch("https://auth-stg.mydomain.com/api/auth/login/refresh?attemptingLogin=true", {
"headers": {
"accept": "application/json, text/plain, */*",
"accept-language": "en-US,en;q=0.9",
"sec-ch-ua": "\"Not A(Brand\";v=\"99\", \"Google Chrome\";v=\"121\", \"Chromium\";v=\"121\"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "\"macOS\"",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin"
},
"referrerPolicy": "strict-origin-when-cross-origin",
"body": null,
"method": "POST",
"mode": "cors",
"credentials": "include"
}),250*(i+1));
}
cookies are being set - but every other request gets the previous cookie e.g:
req1: request headers: cookie: refresh-token=0, response headers: set-cookie: refresh-token=1
req2: request headers: cookie: refresh-token=0, response headers: none (invalid refresh token)
req3: request headers: cookie: refresh-token=1, response headers: set-cookie: refresh-token=2 ......
if for example i increase the setTimeout from 250 -> 1000 , all requests use the subsequent set-cookie and works as intended.
any idea why this happens? and is it normal behaviour? causes me some issues regarding authentication when token expires and i refresh it and then retry the original request.
Thanks!
i believed set-cookie header should taking effect immediately and be used for the next request properly.