• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • paul wheaton
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Stephan van Hulst
  • Ron McLeod
  • Tim Moores
  • salvin francis
  • Carey Brown
  • Tim Holloway
  • Frits Walraven
  • Vijitha Kumara

Why cookie not being set in browser, but it does in POSTMAN?  RSS feed

Ranch Hand
Posts: 640
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am sending a GET request for Basic authentication, to which the server(the backend API) would return(if the authentication is successful) a cookie. This is working fine for POSTMAN, but in browser cookie is not being set.

Here is my application flow:

1. Browser/POSTMAN login using basic authentication. Send credentials using Authorization Basic xxxxxx== header.
2. Server reads the authentication details, and if correct it creates a cookie named auth and send it back with the response(above code). For security layer, I am using Spring security.
3. For further requests, that cookie will automatically be sent with each request. Now I had to take that cookie and extract the authentication details from that. After that, I had to add Authorization Basic xxxxxx== to that request(Because now the Authorization not sent by the client, only cookie sent). For this I created the Filter which will run before Spring's BasicAuthenticationFilter.class

Step 2 is working for POSTMAN, but not for the browser. In POSTMAN, the server sent response contains Set-Cookie →auth=Basic xxxxxxxx=; Domain=localhost; HttpOnly.

curl -i -u pu@gmail.com:password@ http://localhost:8085/api/v1/login

HTTP/1.1 200
Set-Cookie: auth=Basic xxxxxxxx==; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 0
Date: Tue, 12 Feb 2019 05:59:33 GMT

The response header in browser:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3007
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Tue, 12 Feb 2019 11:52:10 GMT
Expires: 0
Pragma: no-cache
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

What additional configuration do I need to do here?

Onion rings are vegetable donuts. Taste this tiny ad:
global solutions you can do at home or in your backyard
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!