Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Express Session + Angular: can't access connect.sid cookie

There is something I really don't understand here :

I have express running on server-side, with session initialized.

app.use(express.session({
    secret: 'mySecret'
    })
}));

As mentionned in this post Confusion over session IDs using Connect, it sends a connect.sid cookie to any request.

On the client-side, I want to read the content of this cookie, and it feels impossible :

angular.module('myApp.controllers', ['ngCookies','myApp.services'])
.controller('homeCtrl', function($scope, $cookies) {
    $cookies['test']='myValue';
    console.log($cookies);
});

When I run this, I get this object in the log : Object {test: "myValue"}, whereas if I go to ressources tab in Chrome debugger, I can see both cookies :

Screenshot of Ressources tab in chrome debugger

What am I doing wrong ?

Is it impossible to access server-made cookies from angular ?

Thanks

like image 694
Augustin Riedinger Avatar asked Mar 08 '13 16:03

Augustin Riedinger


2 Answers

By default connect session uses a httpOnly cookie (look here).

Reading the cookie is always forbidden when httpOnly flag is set.

Try to disable the httpOnly flag:

app.use(express.session({
    secret: 'mySecret',
    cookie: { httpOnly: false }
}));
like image 87
lupin Avatar answered Oct 27 '22 19:10

lupin


Be careful that you are not fixing one problem but creating another, and worse problem. The httpOnly flag is usually used to defend against XSS attacks. See this link at OWASP for more details: https://www.owasp.org/index.php/HttpOnly

Interesting story about this here: http://blog.codinghorror.com/protecting-your-cookies-httponly/

like image 36
gregorius Avatar answered Oct 27 '22 20:10

gregorius