Spring security + session : Receive "Set-Cookie" header but not set in browser
Solution 1
Issue was in angular side ! I added an interceptor adding the withCredentials parameter and it works.
@Injectable()
export class XhrInterceptor implements HttpInterceptor {
intercept(req: HttpRequest<any>, next: HttpHandler) {
const xhr = req.clone({
withCredentials: true
});
return next.handle(xhr);
}
}
Solution 2
Create a CORS Filter in backend add this
response.setHeader("Access-Control-Allow-Headers",
"Date, Content-Type, Accept, X-Requested-With, Authorization, From, X-Auth-Token, Request-Id");
response.setHeader("Access-Control-Expose-Headers", "Set-Cookie");
response.setHeader("Access-Control-Allow-Credentials", "true");
Related videos on Youtube
BkSouX
Updated on June 04, 2022Comments
-
BkSouX almost 2 years
I'm trying Spring Security & Session with an Angular front end. I get a 200 code when trying to login with that response header :
Set-Cookie: SESSION=NGJlYTkzODQtNTQzMy00NGIxLWEzOWYtYTc2MGNlZWY1OTJm; Path=/; HttpOnly; SameSite=Lax
But in my next request to the server, no cookie is automatically set in the request. And by the way, I cannot see the cookie in the developer tools so I think it's not saved.
I'm working in local for the front & back end.
Here are some info about the back end :
using Spring MongoDb Session
@Configuration @EnableMongoHttpSession public class SessionConfig { }
- Classic Spring security Config
` @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { private final CustomAuthenticationProvider authProvider;
public SecurityConfig(CustomAuthenticationProvider authProvider) { this.authProvider = authProvider; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authProvider); } @Override protected void configure(HttpSecurity http) throws Exception { http .cors().and() .authorizeRequests() .anyRequest().authenticated() .and() .httpBasic(); //todo csrf } @Bean CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Collections.singletonList("http://localhost:4200")); // todo properties by environment configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH")); configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization")); configuration.setAllowCredentials(true); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; }
} `
The session is well saved in the mongodb, just the id not saved in the browser. Any idea ?
edit
When setting
observer: "response"
in the httpClient parameters, I cannot see the Set-Cookie header :"cache-control: no-cache, no-store, max-age=0, must-revalidate,content-type: application/json,expires: 0,pragma: no-cache"
But in the developer tool I have :
HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://localhost:4200 Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Set-Cookie: SESSION=YTEwOTNkNjAtZjI4MS00ZmM2LWExYmEtYzA5NzJhMjAyNTJh; Path=/; HttpOnly; SameSite=Lax Content-Type: application/json Transfer-Encoding: chunked Date: Mon, 01 Jul 2019 11:25:08 GMT
-
Mr code. almost 5 yearsTry reading full response at angular side by passing option observe: 'response'
-
BkSouX almost 5 yearsSet-Cookie is not in the array. I only have
"cache-control: no-cache, no-store, max-age=0, must-revalidate,content-type: application/json,expires: 0,pragma: no-cache"
-
BkSouX almost 5 yearsGot it ! Thank you @Mrcode. I had to add the withCredentials parameter in angular side.