#Spring Boot, Cookies not saving in browser, but works fine in Insomnia

1 messages · Page 1 of 1 (latest)

olive trout
#

I've been asking ChatGPT and Google for the past 2 hours, without luck and I'm losing my sanity. Cookies are simply not being saved, but they are being sent.

When I test in Insomnia, the cookies are saving in Insomnia properly, so all works fine there. I have tried setting the cookie in two different ways in Spring, without luck and also removed duplicate Cors settings without luck (I forgot to remove Cors annotation on RestControllers after making a global cors policy thing).

I'm unsure what code is relevant, and I dont want to dump all my code, but these are the two methods I have tried using to set cookies, both successfully sent the cookies, but the browser never saved any, only Insomnia did.

    public static Cookie createCookieOld(TokenType tokenType, String token) {
        Cookie tokenCookie = new Cookie(tokenType.getName(), token);
        tokenCookie.setHttpOnly(true);
        tokenCookie.setSecure(true);
        tokenCookie.setPath("/");
        tokenCookie.setMaxAge(tokenType.maxAge);
        return tokenCookie;
    }
    public static void setResponseCookie(HttpServletResponse response, TokenType tokenType, String token) {
        ResponseCookie cookie = ResponseCookie.from(tokenType.getName(), token)
                .httpOnly(true)
                .secure(true) // Must be true for SameSite=None
                .sameSite("None") // Required for cross-origin requests
                .path("/")
                .maxAge(tokenType.maxAge)
                .build();
        response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
    }```
image.png image.png
slender oceanBOT
#

<@&1004656351647117403> please have a look, thanks.

olive trout
#

I just realized my setup may be quite relevant. The Spring Boot application is behind an Nginx reverse-proxy with SSL. Im using a "production website" with SSL as well, so no localhost or missing certificates anywhere.

olive trout
#

I suspected CORS to be the culprit, so i changed it a bit, got a CORS error and got it fixed again. I dont think its CORS, but im still not sure.

#

I found this. Could it be because the cookies are saved for my subdomain? Ill continue my investigation

image.png
olive trout
#

Ok, so apparently I'm just stupid 🤦
In my JavaScript front-end I had to add credentials: 'include' to my fetch request to ensure the cookies got saved.