I tried doing it through authorization header and it works perfectly
But as im trying to pass token through cookie it doesn't seem to appear in browser storage eg cookies.
pub async fn login(db: web::Data<PgPool>, input: web::Json<LoginForm>) -> impl Responder {
let res = user_service::login(&db, input.0).await;
match res {
Ok(res) => {
let cookie = Cookie::build("jwt_token", res.1)
.http_only(true)
.secure(false)
.same_site(actix_web::cookie::SameSite::Strict)
.finish();
return HttpResponse::Ok()
//.append_header(("Authorization", res.1))
.cookie(cookie)
.json(serde_json::json!(res.0))
},
Err(_err) => return Error::InternalError.error_response(),
}
}
its just a draft so dont mine me using internal errors.
res is tuple (User, string)
Also from insomnia cookies work fine
From what browser gets i can clearly see my server does send cookie there
actix-cors suggests that you are making cross-site requests? In that case, setting the SameSite attribute of your cookie to Strict will not send your cookie as part of cross-site requests. Have you tried using a cookie without setting its SameSite attribute?
Ah, yes. You also need to set the secure flag of the cookie with .secure(true) for SameSite::None to take effect on cross-site requests. From the docs:
If the SameSite attribute is “None”, the cookie is sent in all cross-site requests if the “Secure” flag is also set, otherwise the cookie is ignored.
I used same site strict and server did send cookie to frontend, but it didn't get stored. Also with strict i was using Secure set on false
If im using same site strict on cookie and using cross site requests frontend won't pass them? Or server won't pass them to frontend?
Either way my only issue with cookies is they don't get stored in the browser. I tested it in firefox and chromium. Using utilities like insomnia all works perfectly fine. Cookies are set and they apply to any request after it
Maybe browser is cause of my problem? Is there any additional configuration to store cookie? I thought they do that automatically, but anyways. On frontend i'm using sveltekit if it is important
Yes, the browser is probably your problem, not storing the cookie because it is not properly configured. With CORS it's the same, it's just two header fields that are respected by all mayor browser engines, they don't alter the behaviour of HTTP itself. Have you tried this to create your cookie?
let cookie = Cookie::build("jwt_token", res.1)
.http_only(true)
.secure(true)
.same_site(actix_web::cookie::SameSite::None)
.finish();
If that's a request to another origin, the situation is hopeless and cookies basically won't work.
This is how ads track and profile people, so browsers have either completely blocked them, or isolated them to per-origin sandbox, or have very limited unreliable heuristics for special cases.
If you first navigate to cookie's domain as the top level page, perform user action such as mouse click, then perform POST to the cookie's origin, and then redirect to another origin, it might survive. But don't count on it.