CODEWITHSUNDEEP
node.jscookiesangularjsexpress
Augustin Riedinger
Augustin Riedinger

Reputation: 22270

Express Session + Angular: can't access connect.sid cookie

There is something I really don't understand here :

I have express running on server-side, with session initialized.

app.use(express.session({
    secret: 'mySecret'
    })
}));

As mentionned in this post Confusion over session IDs using Connect, it sends a connect.sid cookie to any request.

On the client-side, I want to read the content of this cookie, and it feels impossible :

angular.module('myApp.controllers', ['ngCookies','myApp.services'])
.controller('homeCtrl', function($scope, $cookies) {
    $cookies['test']='myValue';
    console.log($cookies);
});

When I run this, I get this object in the log : Object {test: "myValue"}, whereas if I go to ressources tab in Chrome debugger, I can see both cookies :

Screenshot of Ressources tab in chrome debugger

What am I doing wrong ?

Is it impossible to access server-made cookies from angular ?

Thanks

Upvotes: 11

Views: 8244

Answers (2)

gregorius
gregorius

Reputation: 131

Be careful that you are not fixing one problem but creating another, and worse problem. The httpOnly flag is usually used to defend against XSS attacks. See this link at OWASP for more details: https://www.owasp.org/index.php/HttpOnly

Interesting story about this here: http://blog.codinghorror.com/protecting-your-cookies-httponly/

Upvotes: 7

lupin
lupin

Reputation: 174

By default connect session uses a httpOnly cookie (look here).

Reading the cookie is always forbidden when httpOnly flag is set.

Try to disable the httpOnly flag:

app.use(express.session({
    secret: 'mySecret',
    cookie: { httpOnly: false }
}));

Upvotes: 15

Related Questions