0

EDIT: Incorrect question. I was getting only an empty object at the backend due to misconfiguration. I thought it was a part of HTTP-ONLY to make cookies inaccessible. (I cannot delete the question)

Problem:

In my Express server I set an http-only cookie.

res.cookie("hiddenCookie", <value>, { httpOnly: true, ...<fields> });

Then of course, we cannot access it via JavaScript in the client side as expected.

Now if I send a new request, the cookie is only an empty object.

console.log(req.cookies); // Logged Value: { hiddenCookie: {} }

Maybe because I also cannot access it via JavaScript?

But, I want to access that cookie from the server to implement an auto log-in.

My step-by-step plan for auto login:

  1. Set refreshToken as http-only and lives for 7 days and accessToken that lives for 5 minutes in the cookies.
  2. If accessToken is invalid, server checks for refreshToken in the cookies.
  3. If refreshToken is valid, automatically issue a new accessToken and refreshToken so that you will only have to explicitly log in if inactive for 7 days straight.

Why this?

accessToken is the main identifier for the user. It can be accessed by the client. To avoid repeated sign-in due to session expiration, I made another token (refreshToken) which lives long and is meant as the second identifier for the user and is not accessible in the client side.

Question:

Is there a way to communicate to it that the refreshToken should reveal itself to the server because it is created here, but not to anyone else?

If the question above is not possible because http-only cookies are not meant to be accessible via JavaScript, where can I store the user's second identifier?

Or maybe simplify everything and just use one token?

I really don't know. Your help is greatly appreciated!

Improve this question

1 Answer 1

Reset to default
1

If you want to recieve the httpOnly cookie on your server, when you make a request to the server from the client page, you enable the withCredentials (for XMLHttpRequest) or { credentials:"include" } (for fetch). The cookie will be sent to the server without the javascript code being able to see it.

MDN Documentation source

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Yeah, it includes the cookies in the request but the values of all http-only cookies becomes {}.
You will not be able to see the value of a httpOnly cookie in javascript by design, you will only see it in your request on the server side. To validate that the value is present in your client and being sent to your server, open Chrome Dev Tools > Network tab > (select the request youre making) > Cookies tab and ensure the value is present
On my server that http-only cookie value is still {}. What I am asking is that what is really the purpose of http-only cookies if all you can do is check if it is there? No way to validate the value if it is valid and not manually created via the dev tools?
In the step-by-step I provided above, I can just steal someone's accessToken and have never ending access to it if all I will do to refresh it is to "validate if the value is present" as what you have said.
You can do more than check if it is there, you will see the value you assigned to the client when they make a request to your server, there is something wrong with your configuration that you cannot see the value server side. Also what you described is called session hijacking.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.