Why browser is not setting the cookie sent from my node js backend?

Question

I'm trying to set a cookie from the backend server running at "api.mydomain.com" like this to the frontend running at "mydomain.com".

res.cookie('auth', token, {
  domain: 'mydomain.com',
  httpOnly: true,
  signed: true,
  secure: true,
  sameSite:'none',
});
res.json({
  //response object
});

In the response header of the request, the "Set-Cookie" header is visible, but when I am checking the cookie storage for the frontend running on "mydomain.com" I cannot find the cookie.

Set-Cookie: auth=<...>; Domain=mydomain.com; Path=/; HttpOnly; Secure; SameSite=None

My backend server is running Node.js and the frontend is in React.

Yes, I have checked the dev tools for the cookies. It is not getting added there. I think even if I mark the cookie as HttpOnly, then also it should appear in dev tools. — Soumya Dey, May 07 '22 at 15:44

score 1 · Accepted Answer · answered May 06 '22 at 12:06

Well, you are getting this result since you have the httpOnly flag to true, and this is usually good to enhance security.

HTTP only cookies are not available via JavaScript code, the browser will send it automatically to the server without letting them to be available to the JavaScript code.

score 1 · Answer 2 · answered May 06 '22 at 12:08

You should make httpOnly: false. The HTTP Only flag is used to prevent the cookie accessible from Javascript (But still can be accessed via HTTP Request). So you can store sensitive information securely that won't be compromised via XSS.

res.cookie('auth', token, {
  domain: 'mydomain.com',
  httpOnly: false,
  signed: true,
  secure: true,
  sameSite:'none',
});

Why browser is not setting the cookie sent from my node js backend?

2 Answers2

Linked