0

I'm implementing an authentication flow with:

Angular frontend running on http://localhost:4200

Spring Boot backend running on http://localhost:8080

After a successful login, the backend sends a Set-Cookie header with an HttpOnly refresh token. The header is present in the response, but the browser does not store the cookie. It's not visible under DevTools → Application → Storage → Cookies, and it is not sent with subsequent requests.

Backend: Spring Boot Cookie Code java

private TokenResponse generateTokenResponse(String usernameOrEmail, HttpServletResponse response) {
    UserEntity user = userService.findByUserNameOrEmail(usernameOrEmail);
    Set<String> roles = userService.getUserRoles(user);
    String token = jwtTokenProvider.generateToken(user.getUserName(), roles);
    String refreshToken = jwtTokenProvider.generateRefreshToken(user.getUserName());

    // Set HttpOnly refresh token cookie
    String cookieValue = "refresh_token=" + refreshToken +
        "; HttpOnly; Path=/auth/refresh; Max-Age=" + (7 * 24 * 60 * 60) +
        "; SameSite=Lax";

    response.addHeader("Set-Cookie", cookieValue);
    return new TokenResponse(token, jwtTokenProvider.getJwtExpirationInMs() / 1000, roles);
}

Backend: CORS Config java

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowCredentials(true);
    configuration.setAllowedOrigins(List.of("http://localhost:4200"));
    configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
    configuration.setAllowedHeaders(List.of("*"));

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

Frontend: Angular HTTP Call I'm using Angular’s HttpClient and setting withCredentials: true:

typescript

this.http.post('/auth/refresh', body, {
  withCredentials: true
}).subscribe();

why dont I see the cookie under Applications? its not passed on subsequent request for /auth/refresh endpoint

Improve this question
2
  • In general should work. Have you checked if the backend secure = true/false ? Commented Jul 2 at 13:02
  • ResponseCookie cookie = ResponseCookie.from("refresh_token", refreshToken) .httpOnly(true) .secure(false) .path("/") .maxAge(7 * 24 * 60 * 60) .sameSite("Lax") .build(); response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString()); I updated the code. Still no luck Commented Jul 2 at 21:35
Related questions
1359
How do I set/unset a cookie with jQuery?
668
JWT (JSON Web Token) automatic prolongation of expiration
624
How to decode JWT token without using a library?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.