Cookie not set in Request Headers, even with 'same-origin' credentials.
See original GitHub issueMaking requests to a Django API requires setting a csrftoken
cookie. I am having trouble setting this and sending the Cookie
header in a fetch
request. I have looked at:
- https://github.com/github/fetch/issues/163#issuecomment-112180606
- https://github.com/github/fetch/issues/142
- https://github.com/github/fetch/pull/56#issuecomment-69113848
- http://stackoverflow.com/a/29664267/651952
I’ve made sure that I’m setting the credentials
to 'same-origin'
, as noted many times in the above resources. However, the Cookie
header is still missing from the request. Headers seem to be properly changed for every other attribute but Cookie
. I feel like I’m missing something obvious, but cannot figure out what it is. Below is the example js I’m using.
fetch('/api/v2/user/me', {
method: "GET",
headers: {
'Accept': 'application/json', // This is set on request
'Content-Type': 'application/json', // This is set on request
'X-CSRF-Token': 'abcdefghijklmnop', // This is set on request
'Cache': 'no-cache', // This is set on request
credentials: 'same-origin', // This is set on request
'Cookie': 'csrftoken=abcdefghijklmnop' // This is missing from request
}
})
.then(response => {
if (response.status >= 200 && response.status < 300) {
return response.json();
} else {
throw error;
}
})
.catch(error => { console.log('request failed', error); });
You will note the header missing from the request:
I tried changing the cookie key to something other than
csrftoken
; that did not work either. Thoughts on this?
Issue Analytics
- State:
- Created 7 years ago
- Reactions:9
- Comments:8 (2 by maintainers)
Top Results From Across the Web
Set cookies for cross origin requests - Stack Overflow
I am setting request and response headers now like crazy now, making sure that they are present in both the request and the...
Read more >Chapter 5. Cookies and response headers - CORS in Action
This is true even if the server doesn't include the Access-Control-Allow-Credentials header and the request is rejected (as indicated with the X).
Read more >7 Keys to the Mystery of a Missing Cookie - Medium
7 Keys to the Mystery of a Missing Cookie · 1. SameSite attribute Defaults to Lax · 2. withCredentials is not Set to...
Read more >How to Enable CORS with HTTPOnly Cookie to Secure Token?
In this article, we see how to enable CORS (Cross-Origin Resource Sharing) with HTTPOnly cookie to secure our access tokens.
Read more >SameSite cookies - HTTP - MDN Web Docs
The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@mislav I’ve figured it out. The
credentials
property is not supposed to be defined in theheaders
object. This works:…duh. For others.
FWIW:
If you set
credentials: 'same-origin'
it will only send the cookies from the same domain–which is handy if 3rd party client-side libraries are adding lots of cookies and you don’t want to muddle up your server-side request with lots of useless cookie junk.Example call: