express - What is the point of http-only cookies and how to make your authentication secure? - Stack Overflow
EDIT: Incorrect question. I was getting only an empty object at the backend due to misconfiguration. I thought it was a part of HTTP-ONLY to make cookies inaccessible. (I cannot delete the question)
Problem:
In my Express server I set an http-only cookie.
res.cookie("hiddenCookie", <value>, { httpOnly: true, ...<fields> });
Then of course, we cannot access it via JavaScript in the client side as expected.
Now if I send a new request, the cookie is only an empty object.
console.log(req.cookies); // Logged Value: { hiddenCookie: {} }
Maybe because I also cannot access it via JavaScript?
But, I want to access that cookie from the server to implement an auto log-in.
My step-by-step plan for auto login:
- Set
refreshTokenas http-only and lives for 7 days andaccessTokenthat lives for 5 minutes in the cookies. - If
accessTokenis invalid, server checks forrefreshTokenin the cookies. - If
refreshTokenis valid, automatically issue a newaccessTokenandrefreshTokenso that you will only have to explicitly log in if inactive for 7 days straight.
Why this?
accessToken is the main identifier for the user. It can be accessed by the client. To avoid repeated sign-in due to session expiration, I made another token (refreshToken) which lives long and is meant as the second identifier for the user and is not accessible in the client side.
Question:
Is there a way to communicate to it that the refreshToken should reveal itself to the server because it is created here, but not to anyone else?
If the question above is not possible because http-only cookies are not meant to be accessible via JavaScript, where can I store the user's second identifier?
Or maybe simplify everything and just use one token?
I really don't know. Your help is greatly appreciated!
EDIT: Incorrect question. I was getting only an empty object at the backend due to misconfiguration. I thought it was a part of HTTP-ONLY to make cookies inaccessible. (I cannot delete the question)
Problem:
In my Express server I set an http-only cookie.
res.cookie("hiddenCookie", <value>, { httpOnly: true, ...<fields> });
Then of course, we cannot access it via JavaScript in the client side as expected.
Now if I send a new request, the cookie is only an empty object.
console.log(req.cookies); // Logged Value: { hiddenCookie: {} }
Maybe because I also cannot access it via JavaScript?
But, I want to access that cookie from the server to implement an auto log-in.
My step-by-step plan for auto login:
- Set
refreshTokenas http-only and lives for 7 days andaccessTokenthat lives for 5 minutes in the cookies. - If
accessTokenis invalid, server checks forrefreshTokenin the cookies. - If
refreshTokenis valid, automatically issue a newaccessTokenandrefreshTokenso that you will only have to explicitly log in if inactive for 7 days straight.
Why this?
accessToken is the main identifier for the user. It can be accessed by the client. To avoid repeated sign-in due to session expiration, I made another token (refreshToken) which lives long and is meant as the second identifier for the user and is not accessible in the client side.
Question:
Is there a way to communicate to it that the refreshToken should reveal itself to the server because it is created here, but not to anyone else?
If the question above is not possible because http-only cookies are not meant to be accessible via JavaScript, where can I store the user's second identifier?
Or maybe simplify everything and just use one token?
I really don't know. Your help is greatly appreciated!
Share Improve this question edited 6 hours ago sanaaa asked 18 hours ago sanaaasanaaa 436 bronze badges1 Answer
Reset to default 1If you want to recieve the httpOnly cookie on your server, when you make a request to the server from the client page, you enable the withCredentials (for XMLHttpRequest) or { credentials:"include" } (for fetch). The cookie will be sent to the server without the javascript code being able to see it.
MDN Documentation source
- 京东1.7亿美元投资金蝶原因:布局企业ERP市场
- 鲍尔默:未来5至10年微软将不再像一家软件公司
- reactjs - NPM SEMANTIC RELEASE | MAINTENANCE BRANCH - Stack Overflow
- reactjs - CORS issue from React to Flask - Stack Overflow
- The uid generator is giving negative value(-8201645565344219221) and using this implementation DefaultUidGenerator.java to gener
- java - Difficulty Embedding ICC Profile into PDF Using PDFBox, iText, and Ghostscrip - Stack Overflow
- wordpress - How do I write a plugin using jQuery to extend FooGallery plugin without "initialize failed" and &
- node.js - Send GET request with pfx file using AXIOS failed - Stack Overflow
- apache spark - Can't save pyspark ML model :py4j.protocol.Py4JJavaError: An error occurred while calling o577.save. : ja
- node.js - I am getting error when i click on submit button | Discord.JS - Stack Overflow
- Receiver incorrectly registered? Android, Kotlin - Stack Overflow
- sql - PostgreSQL ERROR: cannot accumulate arrays of different dimensionality - Stack Overflow
- swiftdata - Create state array from query results in SwiftUI view using results of a Swift data query - Stack Overflow
- solrcloud - How to use "or" in an eDisMax query in Solr 9.4? - Stack Overflow
- zip - Download and unzip file from URL with Github Action - Stack Overflow
- Cannot open DocumentPicker window in React Native app, Android platform - Stack Overflow
- Is it possible to determine if the Julia JIT will return a heap allocated or stack allocated return value from a function call?