Set-Cookie header is ignored ?

[Evgeni]

Hi there,

I'm making a call to a service (using $resource), which returns a cookie, however it is not persisted for some reason.

I see the Set-Cookie header in a response. If I go directly to that service - the cookie is set in a browser, but its not sent back to the server on subsequent calls using $resource.

Is angular somehow stripping the cookies off ?

Or am I looking in a wrong place ? I'm a bit lost here...

[joe lepper]

I'm having exactly the same problem, any response to this thread would be great. 

I can see the cookie come back in my request but cannot access it either through the $cookie service or by using headers('Set-Cookie') in .success()

[Eric Jacobsen]

Also having this problem.

[Antonello Pasella]

Why are you using cookies?

It's just curiosity... I abandoned cookies, also session ones, using a token inserted as header in each $http request.

Antonello

[Joseph Lepper]

We decided on them as a team. One of our leads really liked the idea of cookies and no one had a strong enough opposition or preference for tokens. We ended up solving the problem. It ended up being a problem with the cookies that the server was handing over. 

Once it worked it was nice not to have to do anything on every request. Once the auth was there it was automatically passed on every request by default. So there was a little upfront bug-fixing that lead to eventual time-savings IMHO. 

--
You received this message because you are subscribed to a topic in the Google Groups "AngularJS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/angular/mMOD3RYNaz0/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to angular+u...@googlegroups.com.
To post to this group, send email to ang...@googlegroups.com.
Visit this group at http://groups.google.com/group/angular?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Sander Elias]

Hi Joe,

It might be helpful for others if you could describe the problem with the cookies from the server, so they might seek their solution in the right direction!

Regards

Sander Elias

On Friday, May 3, 2013 4:08:22 PM UTC+2, joe lepper wrote:

We decided on them as a team. One of our leads really liked the idea of cookies and no one had a strong enough opposition or preference for tokens. We ended up solving the problem. It ended up being a problem with the cookies that the server was handing over. 

Once it worked it was nice not to have to do anything on every request. Once the auth was there it was automatically passed on every request by default. So there was a little upfront bug-fixing that lead to eventual time-savings IMHO. 

On Friday, May 3, 2013, Antonello Pasella wrote:

Why are you using cookies?

It's just curiosity... I abandoned cookies, also session ones, using a token inserted as header in each $http request.

Antonello

Il giorno lunedì 18 marzo 2013 18:59:13 UTC+1, Evgeni ha scritto:

Hi there,

I'm making a call to a service (using $resource), which returns a cookie, however it is not persisted for some reason.

I see the Set-Cookie header in a response. If I go directly to that service - the cookie is set in a browser, but its not sent back to the server on subsequent calls using $resource.

Is angular somehow stripping the cookies off ?

Or am I looking in a wrong place ? I'm a bit lost here...

--
You received this message because you are subscribed to a topic in the Google Groups "AngularJS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/angular/mMOD3RYNaz0/unsubscribe?hl=en-US.

To unsubscribe from this group and all its topics, send an email to angular+unsubscribe@googlegroups.com.

[Joseph Lepper]

Sure. 

Sorry I let this thread languish so long. I had moved on to other features of the frontend, when we realized that the problem was on the server. But, as I understand it there was a problem with the gem that was being used not properly setting a cookie to be no-http-only. 

In the end, my major takeaway was that my original post here was a classic XY problem. I thought that the problem was with the client, so I decided that I should try to explicitly access the cookie and pass it over. When in reality there was no good reason to try and access a cookie if I needn't be parsing it. It was just delirious flailing at a bug that wasn't where I was looking. 

To unsubscribe from this group and all its topics, send an email to angular+u...@googlegroups.com.

[Grant Rettke]

So the problem was that you set the cookie httponly when it shouldn't have been?

[Joseph Lepper]

Yes.

On Wed, May 29, 2013 at 4:29 PM, Grant Rettke <gre...@gmail.com> wrote:

So the problem was that you set the cookie httponly when it shouldn't have been?

[Alisson Reinaldo Silva]

I know this is really old. Just wanted to point out that the problem is: where do you store the token? LocalStorage is not safe agains XSS attacks, ideally you'd want to store your token in a Secure HttpOnly Cookie.

[Sander Elias]

Hi Alisson,

Can you provide some sources for this? As far as I know, local-storage can only be read by the same origins as cookies can. So it's about the same protection level as secure cookies.

But unlike cookies, local storage is not vulnerable to HTTP-trace.

Especially for an XSS attack, the browser will attach the cookie to an attackers request, while a token stored in local-storage is not.

Please let me know, because I take security very seriously, and I want to be ahead of possible attacks!

Regards

Sander