DEVHIDE
Login Or Sign up

Why is my HttpOnly cookie not stored in the browser for cross site domains?

61 Views Asked by At

I would like to save my HttpOnly cookie that I get from the backend in the browser. However, this is not happening and I don't know why.

In my Spring Boot (Java) app, I added the HttpOnly cookie in the AuthenticationController to the login request:

    @Override
    public ResponseEntity<User> authenticate(AuthenticationRequest authenticationRequest) {

        // Authenticate the user and retrieve the JWT token.
        String jwtToken = authenticationService.authenticateAndGetJwtToken(authenticationRequest);

        // Set the token in the response header as an HttpOnly cookie.
        HttpHeaders headers = new HttpHeaders();
        headers.add(HttpHeaders.SET_COOKIE,
                "sid=" + jwtToken + "; Path=/;  Max-Age=9999999;  HttpOnly; SameSite=none");

        // Retrieve user data for the authenticated user.
        User user = authenticationService.getUserByIdentifier(authenticationRequest.getUseridentifier());

        return ResponseEntity.ok().headers(headers).body(user);
    }

Here are my CorsFilter settings:

   @Override
    protected void doFilterInternal(HttpServletRequest request,
            HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

        // set request header-informations for cross-site
        // Unfortunately, the settings are currently not working
        response.setHeader("Access-Control-Allow-Origin", "http://localhost:8100");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Withcredentials", "true");
        response.setHeader("X-XSS-Protection", "1");
        response.setHeader("Access-Control-Allow-Methods", "*");
        response.setHeader("Access-Control-Max-Age", "99999999");
        response.setHeader("Access-Control-Allow-Headers",
                "X-Requested-With, Content-Type, Accept, Authorization, Content-Type, xsrf-token, withCredentials, includeSubDomains, Accept-Encoding");
        response.addHeader("Access-Control-Expose-Headers", "xsrf-token");
        response.addHeader("X-Frame-Options", "SAMEORIGIN");
        response.addHeader("Cache-control", "no-store, no-cache");
        response.addHeader("Vary", "Cookie");

        if ("OPTIONS".equals(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            filterChain.doFilter(request, response);
        }
    }

Can anyone tell me why my HttpOnly cookie is not being saved on login in my Angular app? The login request itself works. Only the HttpOnly cookie is not saved. Please let me know if you want me to provide more info.

Thanks in advance

UPDATE 1)

headers.add(HttpHeaders.SET_COOKIE,"sid=" + jwtToken + "; Path=/;  Max-Age=9999999; Domain=http://localhost:8100  Secure, HttpOnly; SameSite=lax");
spring-boot security cors cross-domain httponly
Original Q&A
0

There are 0 best solutions below

Related Questions in SPRING-BOOT

Related Questions in SECURITY

Related Questions in CORS

Related Questions in CROSS-DOMAIN

Related Questions in HTTPONLY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.