Reputation: 813
Localhost development with cookies
I have a google cloud bucket CDN-Cookie to access my google cloud bucket pictures. On my web server everything is working great with setting the cookies and retrieving the image. But in my development environment, I'm on localhost and it's not sending the cookies because it doesn't have https. What's the go-to approach for a development environment to deal with this kind of issue as making localhost to https://localhost seems quite complex for multiple development environments.
Here the http://localhost cookie error
Migrate entirely to HTTPS to have cookies sent to same-site subresources A cookie was not sent to a secure origin from an insecure context. Because this cookie would have been sent across schemes on the same site, it was not sent. This behavior enhances the SameSite attribute’s protection of user data from request forgery by network attackers. Resolve this issue by migrating your site (as defined by the eTLD+1) entirely to HTTPS. It is also recommended to mark the cookie with the Secure attribute if that is not already the case.
Upvotes: 4
Views: 18101
Answers (2)
Reputation: 11
I had a similar problem when i was working on a MERN application where my node js was having a HTTPS server but in developement the frontend react was running on http so the cookies were not getting sent in the request header. Adding following in express-session code solved the issue
app.use(
session({
secret: process.env.SECRET_KEY,
resave: false,
saveUninitialized: true,
cookie: {
sameSite: "none",
secure: "auto",
},
})
);Upvotes: 0
Reputation: 51
To start, it sounds like your localhost development workflow includes some portions on https, otherwise you wouldn't be seeing that message: "A cookie was not sent to a secure origin from an insecure context".
What's the go-to approach for a development environment to deal with this kind of issue
There's not one per-se, it's dependent on your environment. You have a few options that you can consider:
- Upgrade entirely to https. You mentioned that this is complicated for your setup, so this one probably won't suit you (maybe https://web.dev/how-to-use-local-https/ helps?).
- Downgrade entirely to http during localhost development. This error only appears because you're trying to send cookies across different schemes, if everything is http then you won't experience it.
- Change
SameSite=StrictandSameSite=Laxcookies toSameSite=None; Secure. Samesite=None cookies are sent freely between schemes. - Disable Schemeful Same-Site via chrome://flags/#schemeful-same-site. This will be going away in the coming months so I don't recommend relying on it.
- Enable legacy cookies features through LegacySameSiteCookieBehaviorEnabled or LegacySameSiteCookieBehaviorEnabledForDomainList enterprise policies. This option is also temporary so, again, best not to rely on it. Also this does a bit more such as removing the "
SameSite=Nonemust beSecurerequirement" and "Unspecified SameSite is treated asSameSite=Lax", see the links for more info there.
Upvotes: 4
Related Questions
- Cookies on localhost with explicit domain
- Can I use localhost as the domain when setting an HTTP cookie?
- localhost cookies not set
- Cookies on localhost in Google Chrome
- Manage localhost cookies
- How to simulate cookie domain in browser
- Localhost cookies in ASP.NET debugging environment
- Cookie domain for localhost?
- Localhost Cookie
- Cookie sets on Localhost but not on live server?