You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you have a single response header, are sending json and are updating a cookie then everything works fine today. If you are trying to send multiple response headers (for ex. including a CORS header), sending json and updating a cookie ... well the cookie gets dropped in the response.
Let me described what works first and then I'll get into what doesn't.
Working today
If I have a route that looks like this pseudo code.
procisLoggedIn(request: Request): bool=hasKey(request.cookies, COOKIE_KEY) and
http_sessions.hasValidSession(request.cookies[COOKIE_KEY])
templatecontinueUserSession(request: Request): typed=# Do some work to calculate new expire date/time, add/update sessions, etc.setCookie(COOKIE_KEY, sessionId, expireDT, Lax, false, false, DEV_SERVER, "/")
get"/foo":
ifisLoggedIn(request):
continueUserSesssion(request)
let myjson =doWork()
resp($myjson, "application/json")
Calling that from curl gets the following headers
HTTP/1.1 200 OK
set-cookie: mycookie=5ec2f562ef9dc91850f1679f; Domain=localhost; Path=/; Expires=Tue, 19 May 2020 20:51:46 GMT; SameSite=Lax
content-type: application/json
Content-Length: 18
So we get the cookie that we're expecting.
What doesn't work
Let's say we want to allow CORS requests. This means that in addition to the application/json header, we want to return access-control-allow-origin: * as well. Oh and we still want to update cookies to continue sessions. So our resp() call changes.
# for all intents and purposes, isLoggedIn() is the same as above# continueUserSession() is the same as aboveget"/foo":
ifisLoggedIn(request):
continueUserSesssion(request)
let myjson =doWork()
resp(Http200, [("Content-Type": "application/json"), ("Access-Control-Allow-Origin": "*")], $myjson)
We get our multiple headers in the response, but it no longer includes the cookie header. Somebody silently ate the cookie instead of passing it along.
HTTP/1.1 200 OK
content-type: application/json
access-control-allow-origin: *
Content-Length: 18
The text was updated successfully, but these errors were encountered:
If you have a single response header, are sending json and are updating a cookie then everything works fine today. If you are trying to send multiple response headers (for ex. including a CORS header), sending json and updating a cookie ... well the cookie gets dropped in the response.
Let me described what works first and then I'll get into what doesn't.
Working today
If I have a route that looks like this pseudo code.
Calling that from curl gets the following headers
So we get the cookie that we're expecting.
What doesn't work
Let's say we want to allow CORS requests. This means that in addition to the
application/json
header, we want to returnaccess-control-allow-origin: *
as well. Oh and we still want to update cookies to continue sessions. So ourresp()
call changes.We get our multiple headers in the response, but it no longer includes the cookie header. Somebody silently ate the cookie instead of passing it along.
HTTP/1.1 200 OK content-type: application/json access-control-allow-origin: * Content-Length: 18
The text was updated successfully, but these errors were encountered: