Reputation: 815
Cookie not set in request with NodeJS and NextJS
I'm developing a fullstack app with Node + Express backend and NextJS front end (separate servers) and am having trouble requesting the browser to attach the cookie vended down as part of the response header from the node server. Here's the setup:
- Node server is running on localhost:3000 and NextJs server is running on localhost:3001.
- I have set up alias in etc/hosts to route someAlias.com to 127.0.0.1.
Using the front end UI (port 3001) I was able to vend the cookie with JsHttp's cookie module with the following code from the backend (port 3000):
import { serialize } from 'cookie';
...
const cookie = serialize(TOKEN_NAME, TOKEN_VAL, {
httpOnly: true,
sameSite: 'none',
});
I was able to observe the Set-Cookie header in the response.
However, in the subsequent requests, I did not see the cookie being attached. I have tried fiddling with the above cookie serialization params with no success:
Here are the arguments I've tried:
domain: ['.someAlias.com:3000', '.someAlias.com:3001']path: '/'domain: '.someAlias.com'
I have a feeling it might just be due to front end and back end server ports being different, but all requests have been initiated on the client side going to localhost:3000 (backend port). So not sure what I've possibly done wrong here.
====== UPDATE =======
I've run a couple more experiments, and found out that when I'm accessing a URL directly, NextJs renders the page server-side. When I'm transitioning between pages within the app, the page is rendered client-side where it queries the backend port 3000 directly. Unfortunately in neither scenario did I see any cookie being set...
Upvotes: 3
Views: 27348
Answers (4)
Reputation: 110
According to this comment I found on GitHub, if you're setting sameSite to none, you have to set secure to true; otherwise, the browser will never save the cookie.
Unfortunately secure: true won't work on localhost so the workaround would be to check your environment and set sameSite to lax and secure as false when working locally.
Your code could look like this:
...
const ENVIRONMENT = process.env.NODE_ENV || "development";
const cookie = serialize(TOKEN_NAME, TOKEN_VAL, {
httpOnly: true,
secure: ENVIRONMENT === "production",
sameSite: ENVIRONMENT === "production" ? "none" : "lax",
});
...
Upvotes: 1
Reputation: 106
the cookies must be sent directly from the browser to the server , which is not the case when you use nextJs . because when you access to your app next js will server side render your page and then the request will be sent from nextjs server to your nodejs server so the browser will send the cookies to nextjs server not to your nodejs server . the solution is to send cookies manually from nextjs server to nodejs . example with fetchApi and getServerSideProps function:
export async function getServerSideProps(context){
try{
const res = await fetch(`your-api-endpoint`, {
method: 'GET',
credentials:'include',
headers: {
'Access-Control-Allow-Credentials': true,
Cookie: context.req.headers.cookie
},
})
const data = await res.json()
if(!res.ok){
throw data
}
}catch(err){
return console.log(err)
}
return {
props: {
data
}
}
}
Upvotes: 3
Reputation: 29301
SAMESITE NONE
If you use SameSite=none you also need to use Secure, meaning SSL must also be used. You are then saying that your 2 servers are from unrelated domains, which is probably not what you want, since browsers will drop cookies aggressively.
LOCAL PC OPTIONS
Use these settings initially on your development computer, and ensure that all URLs used in the browser and Ajax calls use http://somealias.com:3000 and http://somealias.com:3001 rather than localhost. Cookies will then stick on a development computer.
- Domain=.somealias.com
- Path=/
- SameSite=strict
- HTTP Only
DEPLOYED OPTIONS
When you deploy to a proper environment, also use SSL and set the cookie option Secure. Most importantly, the two domains must meet hosting prerequisites of sharing the same base domain, eg:
This ensures that cookies issued are considered first party and in the same site, so that they are not dropped. If preconditions are not met, there is nothing you can do in code to fix the problem.
SIMILAR RESOURCE
This Curity code example uses local development domains and same site cookie settings similar to those I've used above and may be useful to compare against.
Upvotes: 1
Reputation: 1204
You should set serialized cookie with res.set Express method.
Alternatively, you can use res.cookie method without additional cookie package like this:
res.cookie(TOKEN_NAME, TOKEN_VAL, {
httpOnly: true,
sameSite: 'none',
});
Note, you shouldn't worry about different ports on the same domain, since cookies are not isolated by port but domain only. No matter what port you use, cookies should be visible.
Upvotes: 0
Related Questions
- Calling my Next JS /api endpoint from getStaticProps will not set a cookie
- Can't set a cookie using NextJS 9's API Route
- NextJS: Can't get client side cookies without refreshing
- Not being able to remove cookies on nextjs in production
- Cookie not being set in safari
- Set Cookie with Nextjs and Vercel
- Cookies don't get set in chrome via `Set-Cookie` Header
- NextJS - can't acces cookies in getServerSideProps
- Next.js API route can't set cookie
- Express not setting Cookie