ilia
Reputation: 339
httpOnly cookies are visible
i am creating jwt token based sessions and passing that token to client with httpOnly argument but the cookie are visible in browser here is photo: 
and here is the code
const token = jwt.sign({id :payload}, process.env.SECRET, {
expiresIn: 10
})
console.log(token)
res.cookie('token', token, {
httpOnly: true
});
what is the problem why is "token cookie" visible?
Upvotes: 1
Views: 1564
Answers (1)
Federico G
Reputation: 313
From MDN
To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript's Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set.
The HttpOnly flag doesn't prevent the cookie to be visible, but prevents being access from JavaScript. Cookies can't be hidden
Upvotes: 6
Related Questions
- Can't store JWT in Cookie with Express & Angular
- httpOnly cookie is being sent with the response but is not being stored in the browser cookies
- angular doesn't send cookie to server automatically
- Cookies are not saved in the browser
- I can still edit cookie even with httpOnly using cookie editor
- Can't access JWT from cookies or header
- Can't see the cookies in react js that are sent from back end
- Express.js httpOnly cookie not being set
- Express - JWT Cookie not being stored in browser
- JWT UnauthorizedError: No authorization token was found (GET request with cookie)