question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cookie not set in Request Headers, even with 'same-origin' credentials.

See original GitHub issue

Making requests to a Django API requires setting a csrftoken cookie. I am having trouble setting this and sending the Cookie header in a fetch request. I have looked at:

I’ve made sure that I’m setting the credentials to 'same-origin', as noted many times in the above resources. However, the Cookie header is still missing from the request. Headers seem to be properly changed for every other attribute but Cookie. I feel like I’m missing something obvious, but cannot figure out what it is. Below is the example js I’m using.

fetch('/api/v2/user/me', {
  method: "GET",
  headers: {
    'Accept': 'application/json', // This is set on request
    'Content-Type': 'application/json', // This is set on request
    'X-CSRF-Token': 'abcdefghijklmnop', // This is set on request
    'Cache': 'no-cache', // This is set on request
    credentials: 'same-origin', // This is set on request
    'Cookie': 'csrftoken=abcdefghijklmnop' // This is missing from request
  }
})
.then(response => {
  if (response.status >= 200 && response.status < 300) {
    return response.json();
  } else {
    throw error;
  }
})
.catch(error => { console.log('request failed', error); });

You will note the header missing from the request: screen shot 2016-06-13 at 11 49 31 am I tried changing the cookie key to something other than csrftoken; that did not work either. Thoughts on this?

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Reactions:9
  • Comments:8 (2 by maintainers)

github_iconTop GitHub Comments

331reactions
chalisegrogancommented, Jun 13, 2016

@mislav I’ve figured it out. The credentials property is not supposed to be defined in the headers object. This works:

fetch('/api/v2/user/me', {
  method: "GET",
  headers: {
    'Accept': 'application/json',
    'Content-Type': 'application/json',
    'Cache': 'no-cache'
  },
  credentials: 'include'
})

…duh. For others.

57reactions
tamitutorcommented, May 28, 2017

FWIW:

If you set credentials: 'same-origin' it will only send the cookies from the same domain–which is handy if 3rd party client-side libraries are adding lots of cookies and you don’t want to muddle up your server-side request with lots of useless cookie junk.

Example call:

fetch('/api/v2/user/me', {
    method: "GET",
    headers: {
        'Accept':  'application/json',
       'Content-Type': 'application/json',
       'Cache': 'no-cache'
    },
    credentials: 'same-origin'
})
Read more comments on GitHub >

github_iconTop Results From Across the Web

Set cookies for cross origin requests - Stack Overflow
I am setting request and response headers now like crazy now, making sure that they are present in both the request and the...
Read more >
Chapter 5. Cookies and response headers - CORS in Action
This is true even if the server doesn't include the Access-Control-Allow-Credentials header and the request is rejected (as indicated with the X).
Read more >
7 Keys to the Mystery of a Missing Cookie - Medium
7 Keys to the Mystery of a Missing Cookie · 1. SameSite attribute Defaults to Lax · 2. withCredentials is not Set to...
Read more >
How to Enable CORS with HTTPOnly Cookie to Secure Token?
In this article, we see how to enable CORS (Cross-Origin Resource Sharing) with HTTPOnly cookie to secure our access tokens.
Read more >
SameSite cookies - HTTP - MDN Web Docs
The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found