HttpOnly cookie in development environment

[stevenhello]

Hi,

i have the Problem that i want to send after a successul Login on my net core Web API a httponly cookie to the Browser (to save a Refresh Token Authorisation).
But i can't see after the Login the cookie in the Browser (Development Tools - Application Data).
I am in development Mode:

API Controller: https://localhost:7137/api/Auth/Login

Client is an Angular App: https://localhost:4200/

That's the cookie options in the Login Controller:

 var cookie = new CookieOptions
            {
                HttpOnly = true,
                Expires = DateTime.UtcNow.AddDays(10),
                SameSite = SameSiteMode.None,
                Secure = true,
                Domain = "localhost"
            };

HttpContext.Response.Cookies.Append("rToken", token, cookie);

i can see in the Developer Tools of the Browser on thte Network Tab the Cookie Header in the Login Response (Login is successful).
Also in Postman for testing i see the Cookie Header in the Api Response

But not in the Application Data of the Browser .
The Cookie is also not attached to further Requests to the API!

On the Login Request from the Angular Client i set the Header: withcredentials: true
Any Ideas?

Thank you!
Steven

 

[cjard]

"The Cookie is also not attached to further Requests to the API!"

Requests that are made using script?

 

[stevenhello]

Further API Request (after the successful login) made also by angular client (The Requests are working, but the Cookie ist not attached to the Request).
Thank you!

 

[cjard]

HttpOnly cookies are not accessible by scripts

 

[stevenhello]

Yes, thats why i want to store the Refresh Token in a secure way. (No Java Script can access it)
On Furhter API Requests, the Cookie schould be attached to the Requests (https) by the Browser.

 

[cjard]

"Further API requests" that are made by javascript, accessing a cookie that "No Java Script can access"?

 

[stevenhello]

The Furhter API request made by javascript doesen't access the cookie. The Cookie is attachted to the Request by the Browser when the Browser has the httponly cookie stored for the correct site (in this case localhost).

 

[cjard]

Can you put a full reproducing code for this?

 

[stevenhello]

Here is my working Login Route in my API Controller:
(Here i tried the Domain option for the Cookie: Domain = "https://localhost:4200" - also not working-same as localhost)

    [HttpPost]
    [Route(template: "Login")]
    public async Task<IActionResult> Login([FromBody] UserLoginRequestDto loginRequest)
    {
        if (ModelState.IsValid) {

            // Check if the User exists
            var existing_user = await _userManager.FindByEmailAsync(loginRequest.Email);
            
            if (existing_user == null)
                return Ok(new AuthResult()

                {
                    Result = false,
                    Errors = new List<string>()
                    {
                        "Invalid Payload"

                    },
                });

            if(!existing_user.EmailConfirmed)
                return Ok(new AuthResult()

                {
                    Result = false,
                    Errors = new List<string>()
                    {
                        "Email needs confirmed"
                    },
                });

            var isCorrect = await _userManager.CheckPasswordAsync(existing_user, loginRequest.Password);
                
            if(!isCorrect)
            return Ok(new AuthResult()

            {
                Result = false,
                Errors = new List<string>()
                {
                    "Invalid Credentials"
                },
            });

            var jwtToken = GenerateJwtToken(existing_user);           
            var token = await _userManager.GenerateUserTokenAsync(existing_user, "Refresh", "REFRESH");
            await _userManager.SetAuthenticationTokenAsync(existing_user, "Refresh", "Refreshtoken", token);

            var cookie = new CookieOptions
            {
                HttpOnly = true,
                Expires = DateTime.UtcNow.AddDays(10),
                SameSite = SameSiteMode.None,
                Secure = true,
                Domain = "https://localhost:4200"
            };

            HttpContext.Response.Cookies.Append("rToken", token, cookie);


            Response.Headers.Add("Access-Control-Allow-Credentials", "true");
          
            return Ok(new AuthResult()
            {
                Token = jwtToken,
                Result = true

            });
          
        }
        return BadRequest(error: new AuthResult()

        {
            Result = false,
            Errors = new List<string>()
                    {
                        "Invalid Payload"
                    },
        });
    }

Here you can see from the Browser Dev Tools - Network Tab (Firefox) the successful Login Request and all Headers (Request and Answer)
Also the set-Cookie Header is in the Answer of the API. (Sorri - the Browser is German)

Also here in the Network Tab the Cookie is visable in the Sub Tub Cookies:

But I can't see the Cookie in Brwoser Cookie Store (Application Data):
And thats also the Reason why the Cookie ist not attachted to furhter API Requests

 

[Skydiver]

This maybe relevant:

HttpOnly cookie does not get passed in request

I'm trying to implement markitosgv/JWTRefreshTokenBundle in my symfony project in order to get a way to refresh my JWT token. For this, I want to generate an HttpOnly cookie, which is something sup...

stackoverflow.com

 

[cjard]

Saw that, but discounted it because of

On the Login Request from the Angular Client i set the Header: withcredentials: true

..just for clarity, when I said "can you put a full reproducing code" I meant to zip up some CS and JS files into a project we can run and play with, that exhibits the issue

 

[Skydiver]

As I recall, JSON is case sensitive. withCredentials would not be the same as withcredentials. We can only tell if the OP gives us minimal code to reproduce the problem whether it was just a simple typo or not.

 

[Skydiver]

I need more coffee... I mean JavaScript above, not JSON.