cannot set HttpOnly attribute to false for cookie

[raugustin-amplify]

Hi I am setting a cookie for tracking purposes in response object like this :
res.cookie('tracking_cookie', 'cookievalue',{ httpOnly: false});
We have some client side script that want to read the cookies but it still set HttpOnly flag.
It seems that it something overrides the statement .
The reason I say that is when set the cookie with set or append like this:
res.append('Set-Cookie', 'tracking_cookie'=cookie_name; Path=/; HttpOnly=false');
I see this on the client side response header
Set-Cookie:tracking_cookie=cookievalue; Path=/; HttpOnly=false; Secure; HttpOnly
this means something set the HttpOnly attribute after the statement.

[dougwilson]

Hi @raugustin-amplify I wasn't able to reproduce your issue with the latest Node.js on the latest Node.js 6.x. Here is what I tried:

$ npm i express
npm notice created a lockfile as package-lock.json. You should commit this file.
+ express@4.15.3
added 42 packages in 2.58s
$ node -v
v6.11.0
$ cat app.js 
const express = require('express')
const app = express()

app.get('/', (req, res) => {
  res.cookie('tracking_cookie', 'cookievalue', { httpOnly: false })
  res.send('hello!')
})

app.listen(3000)
$ node app &
[1] 45570
$ curl -I http://127.0.0.1:3000/
HTTP/1.1 200 OK
X-Powered-By: Express
Set-Cookie: tracking_cookie=cookievalue; Path=/
Content-Type: text/html; charset=utf-8
Content-Length: 6
ETag: W/"6-j32I6QGlrToF2MwN6TMT/XYCj4w"
Date: Fri, 16 Jun 2017 19:45:40 GMT
Connection: keep-alive

You can see that the Set-Cookie header is just tracking_cookie=cookievalue; Path=/ so certainly nothing in the simple app there is forcing the HttpOnly. That means that whatever is causing your issue is contained within the difference between my app above and your app.

Can you please provide all the following?

1. Your Node.js version
2. Your Express.js version
3. Full, complete code I can run that reproduces the issue
4. Complete instructions for how to run your code and what call to make to see the issue

Thanks!

[raugustin-amplify]

I am running node v8.0.0 and express 5.0.0
I get a similar result when I curl on my dev server....regarding the Set-Cookie header.
it dosen't set the http flag on my local server.

We run the host on a test environment with https connection:

here is a snippet of the relevant server code I extracted :

let express = require('express');
let http = require('http');
let _ = require('underscore');
let url = require('url');
let util = require('util');
let os = require('os');
let NodeCache = require('node-cache');
let nodeCache = new NodeCache({ stdTTL: 10000, checkperiod: 120 });

let cookieParser = require('cookie-parser');
let app = express();
let router = express.Router()
app.use(cookieParser());
let setCookie = function(req, res, next){
                res.cookie('tracking_cookie', 'cookieValue' ,{ httpOnly: false});
                next();
    };

router.get('*', isAuthorized, setCookie, express.static('www/'));
app.set('views', __dirname + '/views');
app.set('view engine', 'ejs');
app.use('/ckla', router);
let server = http.createServer(app);
server.listen(9443);

[dougwilson]

Hm, I'm still not able to reproduce with that code. What is the call you are making against that server and seeing the issue with? Without being able to reproduce, I'm not sure what I can debug against.

[MuthukumarHelios]

hi @raugustin-amplify what you are trying to do with

router.get('*', isAuthorized, setCookie, express.static('www/'));

router.get ('*', [middleware1, middleware2] , (req,res)={ 
 // do your stuff here api
res.cookie('name', 'express').send('cookie set');   //cookie is set with key value
  });

//"* " ==> means that you are redirecting all you get api's to this router through router level middle ware

[dougwilson]

Closing since I couldn't reproduce, so don't know what the resolution would be.