Fetch API with Cookie

Asked 1/1, 2016 at 17:21 Answered 27/3, 2024 at 9:32

352

I am trying out the new Fetch API but is having trouble with Cookies. Specifically, after a successful login, there is a Cookie header in future requests, but Fetch seems to ignore that headers, and all my requests made with Fetch is unauthorized.

Is it because Fetch is still not ready or Fetch does not work with Cookies?

I build my app with Webpack. I also use Fetch in React Native, which does not have the same issue.

Fancher answered 1/1, 2016 at 17:21 Comment(0)

393

Fetch does not use cookie by default. To enable cookie, do this:

fetch(url, {
  credentials: "same-origin"
}).then(...).catch(...);

Fancher answered 4/1, 2016 at 13:34 Comment(13)

same-origin doesn't work anymore, include does (see @Jerry's answer): developers.google.com/web/updates/2015/03/introduction-to-fetch – Communalism 7/12, 2016 at 0:59

@jpic: 'include' only works for cross-origin requests, but not for same-origin requests. Official docs: github.com/github/fetch#sending-cookies – Hebdomadary 29/11, 2017 at 17:26

What is the reason then to have httponly cookies if they are readable in js with fetch ? – Reo 7/12, 2017 at 22:24

I believe same-origin (which does still work) means that more headers will be respected (cookies, etc) but your code will have limited access to the response. – Crinoline 13/12, 2017 at 15:51

Wasted a lot of time trying to figure out the problem in the server side. Thanks a lot! – Kneepan 12/5, 2018 at 19:39

@MartinBajcar parameter "credentials" in fetch is not reading any cookie, it only acts as a door, if opened(credentials: 'include'), cookies will be allow to pass, if not opened then they aren't. – Dreary 28/5, 2018 at 8:46

@JohnBalvinAriasThx. As I later understood, having cookie httponly means that it's not readable by document.cookie, but still available to ajax or fetch requests. – Reo 28/5, 2018 at 22:1

i am unable to get "set-cookie" parameter in response headers in fetch api in android. in ios i am getting it for first time. how to get "set-cookie" every time i login in both android and ios. i used to achieve this in native ios by setting setHTTPShouldHandleCookies to NO. thanks in advance – Pollen 20/6, 2018 at 16:54

@DhanunjayKumar If you have a new question, please use the Ask Question button. Comments are not a good avenue for getting questions answered. – Boltzmann 1/8, 2018 at 20:50

@HereticMonkey : i have added as question also link : #50905245 – Pollen 2/8, 2018 at 5:6

Hello guys, I was reading this question, and I have a similar one, which my cookies are set to HttpOnly and from javascript when I fetch an API it redirects to login url because it cannot reach the cookies, where credentials:same-origin didnt work for me, can you please check my question? #59311703 – Omphalos 16/12, 2019 at 7:58

what if we have different origins. – Louvre 19/2, 2023 at 20:47

same origin is the default value now. assuming this is cors, which was my issue when I came here, @zurfyx answer should probably be the accepted one. – Susan 21/3, 2024 at 4:4

318

In addition to @Khanetor's answer, for those who are working with cross-origin requests: credentials: 'include'

Sample JSON fetch request:

fetch(url, {
  method: 'GET',
  credentials: 'include'
})
  .then((response) => response.json())
  .then((json) => {
    console.log('Gotcha');
  }).catch((err) => {
    console.log(err);
});

https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials

Blench answered 13/8, 2016 at 18:38 Comment(11)

how do you set the cookie though? – Camden 30/8, 2016 at 17:58

The cookie is set from server-side. In my case I was using httponly cookies. – Fancher 18/11, 2016 at 14:25

@Fancher can I set cookies using the document.cookie by javascript, and then send the request? – Teocalli 14/6, 2017 at 1:36

@Teocalli You can send it in the header. – Devisee 24/11, 2017 at 9:17

Interesting fact: I wanted to cover both cases of fetch with same-origin and cross-origin by using this, and I could not, but it did work for cross-origin requests. =) – Hebdomadary 29/11, 2017 at 17:25

@Teocalli I found that just setting the value in document.cookie was enough for it to be included in the requests. – Baroscope 2/4, 2018 at 18:47

If you're using a rails API and keep getting CORS issues with Access-Control-Allow-Credentials make sure in your Rack::Cors config you set credentials: true on the resource. – Pneumonectomy 6/2, 2021 at 19:33

@Camden dough* - refrigerate it for 24hrs, it should be fully set by then – Nolita 15/7, 2021 at 9:45

See this solution – Octopus 29/12, 2022 at 8:27

This made an end to my countless hour journey on why setting my cookie doesn't work. Thank you so very much. – Rutherford 18/1, 2023 at 10:11

124

Have just solved. Just two f. days of brutforce

For me the secret was in following:

I called POST /api/auth and see that cookies were successfully received.
Then calling GET /api/users/ with credentials: 'include' and got 401 unauth, because of no cookies were sent with the request.

The KEY is to set credentials: 'include' for the first /api/auth call too.

Hypothesize answered 7/8, 2018 at 11:47 Comment(10)

I have exactly your problem. The session cookie is never sent on the GET data request. so 401. I have tried Axios and Fetch. same result. 2 possibilities: the login POST doesnt store the received cookie or the following GET data doesnt send the stored cookie – Sheepcote 9/10, 2018 at 13:46

@Rhubarb65, to win this u should specify credentials: 'include' for first POST /api/auth – Hypothesize 9/10, 2018 at 14:18

Yes, I had that but it want enough. I use a devserver proxy (client Http) – Sheepcote 11/10, 2018 at 13:19

Yes, I had credentials but it was not enough. I was using a devserver proxy to get past CORS: (client http) - proxy - (server https). I believe this meant that the sessionid cookie from the server was not set in the browser because secure cookies require https. So I added the flag https: true in the devserver proxy and that fixed it – Sheepcote 11/10, 2018 at 13:25

Well cheers. Your answer meant it only took me 1 day of bruteforce. :) – Phippen 22/5, 2020 at 14:50

As I remember, used browser dev tools and backend logs (request data) to understand that no cookies were sent. After I randomly (i think so, may be from google search) added needed param to first auth call. PS hehe - found that in profile my location is moon (: – Hypothesize 5/10, 2020 at 10:2

I owe you a big fat pint of beer. I've been banging my head against the desk for the past 3 hours trying to solve this issue. Thank you x1000. – Faulkner 14/10, 2020 at 16:49

Also, don't be me. Make sure the fetch URL is 127.0.0.1 not localhost, or the Cookie won't be set. – Angers 1/4, 2021 at 11:32

That's amazing! I would never have thought to try that. What's the rationale to also need to try and send a cookie on the first request? – Eluvium 23/2, 2023 at 22:2

You are a legend. 2 days of bruteforce here as well until I read your answer. – Tridentine 17/6, 2023 at 4:24

If you are reading this in 2019, credentials: "same-origin" is the default value.

fetch(url).then

Heterolysis answered 13/6, 2019 at 8:39 Comment(1)

But note that not everyone is using a sufficiently updated browser. I came across this question because my own version of Firefox (60.x, the most recent in Debian Stretch) doesn't set that by default. – Sardonic 30/10, 2019 at 13:34

Programmatically overwriting Cookie header in browser side won't work.

In fetch documentation, Note that some names are forbidden. is mentioned. And Cookie happens to be one of the forbidden header names, which cannot be modified programmatically. Take the following code for example:

Executed in the Chrome DevTools console of page https://httpbin.org/, Cookie: 'xxx=yyy' will be ignored, and the browser will always send the value of document.cookie as the cookie if there is one.
If executed on a different origin, no cookie is sent.

fetch('https://httpbin.org/cookies', {
  headers: {
    Cookie: 'xxx=yyy'
  }
}).then(response => response.json())
.then(data => console.log(JSON.stringify(data, null, 2)));

P.S. You can create a sample cookie foo=bar by opening https://httpbin.org/cookies/set/foo/bar in the chrome browser.

See Forbidden header name for details.

Evasive answered 1/9, 2021 at 14:22 Comment(1)

It works for me: headers: { Cookie: cookies().toString() }, – Helping 25/3, 2024 at 4:4

Just adding to the correct answers here for .net webapi2 users.

If you are using cors because your client site is served from a different address as your webapi then you need to also include SupportsCredentials=true on the server side configuration.

        // Access-Control-Allow-Origin
        // https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api
        var cors = new EnableCorsAttribute(Settings.CORSSites,"*", "*");
        cors.SupportsCredentials = true;
        config.EnableCors(cors);

Rigney answered 27/8, 2019 at 16:57 Comment(3)

'cors.SupportsCredentials = true;' saved my day, thanks. – Wadewadell 28/3, 2021 at 15:48

Completely unrelated to the question. This is about browser APIs and React Native, not some other platform. – Phineas 2/10, 2023 at 12:25

@OlegMihailik this was just to point out that not setting up CORS correctly will cause a similar error. My answer is not releated to React Native; though, I suspect, it could manifest there as well. – Rigney 20/11, 2023 at 23:52

This works for me:

import Cookies from 'universal-cookie';
const cookies = new Cookies();

function headers(set_cookie=false) {
  let headers = {
    'Accept':       'application/json',
    'Content-Type': 'application/json',
    'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
};
if (set_cookie) {
    headers['Authorization'] = "Bearer " + cookies.get('remember_user_token');
}
return headers;
}

Then build your call:

export function fetchTests(user_id) {
  return function (dispatch) {
   let data = {
    method:      'POST',
    credentials: 'same-origin',
    mode:        'same-origin',
    body:        JSON.stringify({
                     user_id: user_id
                }),
    headers:     headers(true)
   };
   return fetch('/api/v1/tests/listing/', data)
      .then(response => response.json())
      .then(json => dispatch(receiveTests(json)));
    };
  }

Celestina answered 6/5, 2020 at 21:54 Comment(1)

Thanks! This is exactly what I was trying to figure out!! 'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content') saved the day! – Ratcliff 9/8, 2022 at 0:17

If it still doesn't work for you after fixing the credentials.

I also was using the :

  credentials: "same-origin"

and it used to work, then it didn't anymore suddenly, after digging much I realized that I had change my website url to http://192.168.1.100 to test it in LAN, and that was the url which was being used to send the request, even though I was on http://localhost:3000.

So in conclusion, be sure that the domain of the page matches the domain of the fetch url.

Morrissette answered 27/1, 2022 at 8:49 Comment(4)

Any ideas if it's port specific? Curious how this works when the host is the same but the port is different? (ie. UI server + backend server) – Jervis 13/5, 2022 at 19:16

Hello @Jervis Yes actually it may seem that ports aren't related to cors but they are : https://mcmap.net/q/76922/-cors-error-on-same-domain – Morrissette 13/5, 2022 at 19:32

note, that also localhost is not the same as 127.0.0.1 - your backend needs to be on the exact same ip address than your frontend – Fribourg 10/3, 2023 at 7:13

or.. just use include instead of same-origin. – Susan 21/3, 2024 at 5:13

My issue was my cookie was set on a specific URL path (e.g., /auth), but I was fetching to a different path. I needed to set my cookie's path to /.

Alcock answered 2/7, 2021 at 19:46 Comment(0)

I wasted three hours looking for a solution so I decided to share my findings.

login(email: string, password: string): Promise<User | null> {

  return fetch('http://localhost:8080/api/login', {
    method: 'POST',
    credentials: 'include',
    headers: {
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      email: email,
      password: password,
    }),
  })
      .then(response => {
        this.handleError(response);
        return response.ok ? response.json() : null;
      })
}

"credentials: 'include'" parameter must be set in the request that receives Set-Cookies header, not just subsequent request that we expect to carry the cookie;
Most most importantly Access-Control-Allow-Headers returned by the server MUST list all possible headers that client MAY send. Contrary to your expectation wildcard asterisk value won't work. If client sends at least one unknown header it will also break cors.

Northwestward answered 27/3, 2024 at 9:32 Comment(0)

If the fetch is not sending credentials even though the request is not intended to be a cross-origin call, it could be because the request is being processed as cross-origin due to differences in protocols between the origin of the request and location of the response.

I observed that my server was returning Location header with an http URL, while the connection was established over https. As a result, the browser treated the request as cross-origin and applied cross-origin rules. It's worth noting that Firefox (version 114.0.2) and Safari (version 16.1) didn't display any warnings in this scenario, but Chrome (version 114.0.5735.198) showed a (blocked:mixed-content) error, which helped in identifying the issue.

If anyone is interested, in this particular case, SSL termination was being performed in the reverse-proxy, but the gunicorn server was not correctly handling it due to misconfiguration, specifically related to the secure-scheme-headers and forwarded_allow_ips settings. After resolving these settings on the server side, fetch started working fine in all browsers.

Newish answered 2/7, 2023 at 20:50 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

If it still doesn't work for you after fixing the credentials.

Recommended topics

Hot tags