Unable to get httpOnly cookie inside getServerSideProps

[kagithapk]

I'm setting a cookie from the next (pages/api)

pages/api/login.ts

import { serialize } from 'cookie';

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse<Data | Error>
) {
  try {
    // API call to another backend server (Nest JS) to login and get jwt
    const response = /* API call here */
      /*
        response = {
          data: {
            ...userData,
            jwt: token,
           },
          }
      */
      if (response?.data?.jwt) {
        const responseToSend = {
          ...response.data,
        };
        delete responseToSend.jwt;
        res
        .status(response.status)
        .setHeader(
            'Set-Cookie',
            serialize('auth', response.data.jwt, {
            httpOnly: true,
          })
        )
        .send(responseToSend);
    }
    // ...
}

pages/Home.tsx

export const getServerSideProps: GetServerSideProps = async function (context) {
  console.log(context.req.headers.cookie); // undefined - NOT RECEIVING COOKIE.
  console.log(context.req.cookies); // {}
  // ...calling another backend API to verify user based on jwt
}

Am I missing any configuration to get an HTTP-Only cookie inside getServerSideProps or is it even possible to get an HTTP-only cookie inside getServerSideProps?

When I make the same API call for authentication check pages/api/user (that check if the jwt is valid) from useEffect, it passes the cookie to the next (pages/api).

pages/api/user.ts

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse<Data | Error>
) {
  try {
    console.log(req.cookies); // { auth: token } - Receiving Cookie
    // ...calling another backend API to verify user jwt
  }
}

[icyJoseph]

Hi,

I have a bunch of apps that do this, and it works flawlessly so I am gonna guess we are missing something here, as usual with cookies, you have to squint hard to see where the error is.

While I setup a reproduction demo, could you please try with setting a path to the cookie? with this value: /

Edit

Alright, just did some testing, and the Path must be set explicitly when using the cookie library, it is not set to / by default, which I think is ok, it is just common practice to set it as / - Do let me know if that change makes it work for you.

  res.setHeader(
    "set-cookie",
    serialize("tomato", "foo-bar", { path: "/", httpOnly: true })
  );

Here's a video by Feross, from his Web Security course explaining the Path better than I can

[kagithapk]

Thank you @icyJoseph! It's working when I set path: '/'.

[nikantkamat]

I have the same issue nextjs SSR returning no cookies in ctx.req.cookies and ctx.req.headers

My express server :
res.cookie('tokenkey', 'tokenValue', { maxAge: 1 * 60 * 60 * 1000, httpOnly: true, sameSite: 'none', secure: process.env.NODE_ENV === 'development' ? true : true, path : '/' });

Nextjs ssr:

`export const getServerSideProps: GetServerSideProps<{ data: HomePagePropData }> = async (context ) => {
console.log(context.req.cookies); //gets empty on production
console.log(context.req.headers); // has key values but not cookie

const res = await fetch(mydomain.com/user, {
headers : {
"Cookie" : context.req.headers.cookie!
}
})

if (!res.ok) {
return {
redirect: {
destination: '/auth'
},
props :{
data :{
user : {}
}
}
}
}

let user = await res.json() as User;

return {
props: {
data: {
user
}
}
}

}`

Everything works fine in development

[TylerOlthuizen]

did you ever get this fixed?

[gregg-cbs]

I am experiencing this with next13.

I have strapi as my cms. I am setting an httpOnly cookie in there and some reason when its httpOnly next serverside cannot see it.

It works on localhost because both the server are running on localhost and its not secure.

I have a feeling the way nextjs serverless functions are running might have something to do with this. Maybe the functions are running on an IP which is not the domain the cookie is secured to... i dont know.

[milanpoudelwebdeveloper]

Hello has this been fixed?

[naimulemon]

I faced the same issue is it fixed or how can we fixed ?