2

I'm building a project with authentication. I'm using Node+React. I set an express session cookie on the back-end and I want a component in react to read that cookie to see if the user is authenticated or not. For some reason I can not access that cookie from the react(client-side)... Maybe someone could help out?

BACK:
app.use(session({
  name: process.env.SESS_NAME,
  resave: false,
  saveUninitialized: false,
  secret: process.env.SESS_SECRET,
  cookie: {
    maxAge: parseInt(process.env.SESS_LIFETIME),
    sameSite: true, //strict,
    secure: process.env.NODE_ENV === "production"
  }
}))

FRONT:
import Cookies from "js-cookie";
...
console.log("cookie", Cookies.get("sid"));

I have a cookie named "sid" in this case and I can see it in my console in the browser... but when I try to access it its undefiend

enter image description here thanks!

Improve this question
3
  • Are you serving the react app from your express instance? Commented Nov 14, 2019 at 23:45
  • no I use the server side as api for the client side... @Chev Commented Nov 15, 2019 at 14:43
  • is there a specific reason for trying to access it? you've set it as HTTPcookie so you won't be able to access it on the client. curl.haxx.se/rfc/cookie_spec.html Commented Nov 15, 2019 at 21:52

1 Answer 1

Reset to default
3

Your issue is that you have not set the httpOnly property on the cookie when configuring session. The default value is true which will prevent client browsers from reading the cookie.

Note be careful when setting this to true, as compliant clients will not allow client-side JavaScript to see the cookie in document.cookie.

app.use(session({
  name: process.env.SESS_NAME,
  resave: false,
  saveUninitialized: false,
  secret: process.env.SESS_SECRET,
  cookie: {
    maxAge: parseInt(process.env.SESS_LIFETIME),
    sameSite: false, // this may need to be false is you are accessing from another React app
    httpOnly: false, // this must be false if you want to access the cookie
    secure: process.env.NODE_ENV === "production"
  }
}))

See the cookie options in docs

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

YES but I do want it to be httpOnly since I don't want attackers to have any access... but still I need that for my front-end to know when user is authenticated @Chev
OK, but your question and answer above explain why you cannot access the cookie. You may be confusing session state with authentication and the session cookie is not used to test for authentication. This would be best served using JWT tokens. There are numerous articles on authentication with JWT and recommend you look at the jsonwebtoken.
@hindi1991 please can you accept the answer covering why you could not read the cookie so other users can understand. Please create a new question if you having issues with the auth JWT design. Best, Chev

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.