Why Aren\'t My HTTPOnly Cookies Setting in the Browser on Localhost?

HTTPOnly Cookie Not Setting in Browser on Localhost

Problem:

In a REST API with a login endpoint that generates an HTTPOnly cookie, the cookie was no longer being set in the browser, even though POST requests via Postman worked correctly. This issue occurred despite using approaches that had previously functioned.

Approaches Used:

• Created a minimal Go implementation of the REST API.
• Created a Node implementation using Express and axios.
• Analyzed header responses and tested the front-end code.

Results:

• Both Go and Node APIs sent the HTTPOnly cookie in their response headers.
• However, the cookies were not being set in the browsers tested.

Solution:

The problem was in the client-side JavaScript (fetch() method). By adding the 'credentials: "include"' option to the RequestInit object, the browser was allowed to send and receive cookies with the request. This is necessary for HTTPOnly cookies to be set in the browser.

Additional Information:

• Axios automatically sets the 'credentials: "include"' option.
• If using Axios, 'withCredentials: true' should be included in the third config argument of the request to enable browser cookie setting.

The above is the detailed content of Why Aren\'t My HTTPOnly Cookies Setting in the Browser on Localhost?. For more information, please follow other related articles on the PHP Chinese website!