R
Railway

✋|help

httpOnly cookies not being set in production using koa

Bblazu.g4/2/2023
Hi, I'm trying to set httponly cookies in my koajs app but to no avail I have a custom domain in railway server.myapp.com Cookies options:
const domain = config.MY_APP_ENV === 'production' ? 'myapp.com' : undefined;

const options = {
domain,
httpOnly: true,
secure: config.MY_APP_ENV !== 'development',
sameSite: 'lax',
path: '/',
maxAge,
};

context.ctx.cookies.set(COLLECTION_SESSION_COOKIE, token, options);
const domain = config.MY_APP_ENV === 'production' ? 'myapp.com' : undefined;

const options = {
domain,
httpOnly: true,
secure: config.MY_APP_ENV !== 'development',
sameSite: 'lax',
path: '/',
maxAge,
};

context.ctx.cookies.set(COLLECTION_SESSION_COOKIE, token, options);
PPercy4/2/2023
Please provide your project ID or reply with N/A. Thread will automatically be closed if no reply is received within 10 minutes. You can copy your project's id by pressing Ctrl/Cmd + K -> Copy Project ID.
PPercy4/2/2023
No project ID was provided. Closing thread.
Bblazu.g4/2/2023
N/A I already treid to remove domain option
RRay4/3/2023
A few thoughts on why it's failing: * Does your MY_APP_ENV on Railway have its value set to production? If not, your domain would be undefined * Have you tried changing the domain to server.myapp.com, or using a wildcard (.myapp.com) as the domain? * What are your access-control-allow-* settings? This is considered a cross-origin request so there may be something else required to make this work. * Do you have proxy=true in your Koa server, so that Koa can accept headers from Railway's proxy? (https://koajs.com/#settings) * What do you see set-cookie response header? It should have a domain=.myapp.com; path=/; secure; samesite=lax; httponly at minimum (judging from your cookie options)
Have you tried changing the domain to server.myapp.com, or using a wildcard (.myapp.com) as the domain? Do you have proxy=true in your Koa server, so that Koa can accept headers from Railway's proxy? (https://koajs.com/#settings)
Try these first 🙂
Bblazu.g4/3/2023
sure, I will try it today my app domain is app.myapp.com, does it make sense to set the cookie domain to server.myapp.com?
RRay4/3/2023
I’d recommend using “.myapp.com” as the cookie domain for that setup If you’re setting the cookie from server.myapp.com, I don’t think app.myapp.com has access to that. They’re technically treated as different domains, so a cross origin set-cookie won’t work unless the cooke is set for .myapp.com Just remember that browsers can be pedantic about hostnames (FQDNs to be clear, and for very good reasons!) - myapp.com is not server.myapp.com or app.myapp.com & about your Railway deployment, make sure you have Koa set up to respect proxied headers - Railway proxies requests from the internet to your Koa server; Koa discards some headers for security reasons (if I recall correctly!)
Bblazu.g4/3/2023
what is the difference between .myapp.com and myapp.com? I'm not using { proxy: true } in my Koa server Let me try it
Bblazu.g4/3/2023
RRay4/4/2023
Stack Overflow
How do browser cookie domains work?
Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences. In other...
RRay4/4/2023
do you happen to know where this is coming from?

Looking for more? Join the community!

Want results from more Discord servers?
Add your server
Recommended Posts
Setting up MinIO serviceI set up a docker-orchestrated MinIO service locally. Given there is no service template available fMultiple services on a single domainHi! I have 3 services: API (Backend), Landing that uses this API (Frontend) and a Documentation for Deploy from GitHub Repo exits without reasonThis is for a Flask app, but I could see how it could get confused. What/why?Postgresql paused after month limit restoreHi, it´s supposed that datatabases should be restored after month limit, but my databases are still Card declinedYou have an unpaid invoice. Click here to pay your invoice in order to avoid disconnection of servicLong Running ProcessI have a process that takes a little over 40 minutes to complete and have it running once a day usinPostgres using too much memoryI am being overcharged due to my postgres instance, however I cannot restart it to free the memory. Can’t find tables after loading them in from local .sql file using command lineHello, not sure if this isn’t a common pattern(I may just end up using a Docker container for this).Abnormal memory usage on Postgresql pluginHello, I'm having an abnormal memory usage on my Postgresql database Any chance you can **restart Server logs?I am wondering how to inspect the application server logs. Doing `railway logs` just tails the mostA lil help with the pricing and plansi have a smol app. just a discord bot that used maybe 0.5 to 1 dollar last month. now to my understaRailway up errors with 413 payload too large with project size is 34,1 MB on diskAccording to the docs, the railway up command will fail for projects over 50MB, but my project size dayjs timezone invalid dateDoes anybody knows how I can make dayjs timezone plugin work in railway?Error: Cannot find module '/app/src/app.js' on deployi have this script on my package.json `"start": "cross-env NODE_ENV=production node ./src/app.js",`How to host my bot discord?Good evening, I would like to know how to host my bot discord. I have done everything as it should bCannot create code snapshot right nowPID: a45af505-1c73-4eb1-82a2-a15c9c5bd2f8 Hi guys, I'm getting this error repeatedly: `Cannot creHey, how can I specify a pnpm version to use?I tried setting this in `package.json`: ```json "engines": { "pnpm": "8.x" }, ``` But it stNew Service ErroringHello, I have added a new service to a project which is an exact copy of another service. It is a noOverride builderI have a django project and in the root directory there is a Dockerfile. However, I have configured Template does not deploy the serviceProject ID: d87cd8c3-6fd5-49e4-925a-e7cc89fae4a5 I'm trying to deploy a simple template (https://ra