I have a React web app that I’m running inside a Capacitor container. The backend issues an HttpOnly cookie (refresh_token) for authentication.
When I test in a normal browser, everything works:
Server sets the cookie.
Subsequent requests automatically include the cookie.
When I run the exact same code inside the Capacitor build (tested in Android emulator), the cookie is either not stored or not sent back to the server, even during the same app session. So the app breaks as if the cookie doesn’t exist.
Here’s how the cookie is set on the server (Express):
res.cookie("refresh_token", tokenValue, {
httpOnly: true,
secure: true,
sameSite: "None",
path: "/",
});
Here’s how I request the token from the client (React + Axios):
const res = await axios.post(
api_url("/user/refresh_token"),
{},
{
withCredentials: true,
}
);
Observed behavior:
In the browser, the cookie is set and sent automatically.
In the Capacitor app (emulator), the cookie is missing on subsequent requests.
Questions:
Is this a known limitation of HttpOnly cookies inside Capacitor WebViews on Android/iOS?
Do I need to configure something (e.g., CookieManager, Capacitor Cookies plugin, WebView settings) so that cookies are properly stored and attached to requests?
Is the recommended solution in Capacitor apps to avoid relying on HttpOnly cookies and instead store tokens manually (e.g. Preferences or Secure Storage) and send them via Authorization headers?
Environment:
Capacitor 7
React 18
Android Emulator (API 33)
Axios 1.x
