My application uses Angular5. For cookie based authentication, my server
sends Set-Cookie to my Angular application. However, the application
doesn't send the value back in further requests. I have set withCredential
to true.
Following is my code.
const httpOptions = {
headers: new HttpHeaders({ 'Content-Type': 'application/json' }),
withCredentials: true //this is required so that Angular returns the Cookies
received from the server. The server sends cookies in Set-Cookie header.
Without this, Angular will ignore the Set-Cookie header
};
public getUserProfile(){
console.log('contacting server at '+this.API_URL
+this.GET_USER_PROFILE_URL+"with httpOptions "+httpOptions);
return this.http.get(this.GET_USER_PROFILE_URL,httpOptions )
.map(response=>{
console.log('response from backend service',response);
let result= <ServerResponse>response;
console.log("result is "+result.result+' with additional information
'+result.additionalInformation)
return result;
})
.catch(this.handleError);
}
The server sends the cookie as follows in 200OK of my code (not shown here)
Set-Cookie: id=...
The next message however hasn't got the id in the cookie, thus the server
returns 401. If I manually add the Cookie using browser's debug tools, then
I get 200OK. Thus I am certain it is the absence of the id value in the
cookie which is causing the issue.
What am I doing wrong? Do I need to explicitly store the cookie received in
Set-Cookie and explicitly add it in further requests?
Update - At the time when the SPA is initially loaded, the server sends
Set-Cookie header with some other cookie's information related to CSRF. I
notice that that cookie is still sent by the application. Could it be that
Angular honors the first Set-Cookie header but ignores the subsequent ones?
I have added couple of pics to explain what I mean
During signing, the client sends a cookie related to CSRF. I dont think it
is required as the client also sends CSRF Header but for some reason it
does. The server responds with Set-Cookie with id in it
[image: enter image description here] <https://i.stack.imgur.com/xl1iz.png>
Then when I ask for profile, the client again sends the CSRF cookie but not
the id cookie
[image: enter image description here]
--
You received this message because you are subscribed to the Google Groups
"Angular and AngularJS discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/angular.
For more options, visit https://groups.google.com/d/optout.
