Remove httponly from cookie when making HTTP call using Flutter

[baliganikhil]

I have an Express application that has a cookie-based authenticated route. I am using cookie-session to store auth tokens in the cookie.

I am developing a mobile app using Flutter and am using the requests package to manage cookies while making HTTP calls. I am able to make basic HTTP GET and POST calls.

My Express application has two routes - Sign In and Get Info. The route to Sign In authenticates the user and sets an auth token in the cookie using cookie-session. The Get Info gets information for an authenticated user, and the authentication is checked by a middleware.

The Express application is working as expected when I make calls using Postman or curl but is failing when I make calls using Flutter.

When I analysed the differences, I found that the Flutter application is adding an 'httponly' in the cookie, and consequently, the auth tokens are not being extracted. When making the same call using curl, it failed with httponly and worked when I removed the httponly flag in the cookie.

I tried toggling httponly in cookie-session by using sessionOptions and it has not worked.

I am not sure if this is a problem with the serverside code or the clientside code - Could you help me understand if there is a flag that I need to toggle or get around this?

[AtamyratBabayev]

Hi, I have the same issue with cookies, so I made my own custom cookie parser method. This might help you (not sure):

void updateCookie(http.Response response) {
String rawCookie = response.headers['set-cookie'];
if (rawCookie != null) {
String parsedCookies = _parseCookies(rawCookie);
headers['cookie'] = parsedCookies != null && parsedCookies.isNotEmpty
? parsedCookies
: rawCookie;
print(parsedCookies);
}
}

String _parseCookies(String cookies) {
List rawCookiesString = cookies.split(';');
Map<String, String> rawCookies = {};
for (String rawCookieString in rawCookiesString) {
if (rawCookieString.contains('=')) {
List keyValue = rawCookieString.split('=');
switch (keyValue[0].trim()) {
case 'PHPSESSID':
rawCookies.addAll({'PHPSESSID': keyValue[1].trim()});
break;
case 'default':
rawCookies.addAll({'default': keyValue[1].trim()});
break;
case 'HttpOnly,default':
rawCookies.addAll({'default': keyValue[1].trim()});
break;
}
}
}

[AtamyratBabayev]

Do you know how to handle multiple requests with cookies? The problem is that I have multiple requests at the same time. So, first request update cookie, but seconds uses old cookie and second request gives me an error! Is it possible to handle that problem?

[imdatceleste]

@Mickey-A-Mouse - I use this package and have a mobile app that logs-in, receives lots of cookies, and then sends many other requests to the server, each time sending back the cookie of previous calls and maybe receiving new cookies, even some that overwrite existing ones.

It works quite nicely, though I had to do some cookie-parsing magic myself, because of the way how my server sends back cookies.

This package, afaik, uses the cookies that are stored for a domain+port every time you send a request, unless you remove the cookies before hand.

[TheSeriousProgrammer]

I experienced the same issue in both dio and this library , looks like this issue is only with http requests
So in the development environment one might consider self signed certificates and verfiy:false flag

I am a beginner flask-python developer , for self signed cookies I just add the flag --cert=adhoc in the run command

Since http is obselete in the market , this issue can be discarded ig

[sehnryr]

Can you tell me if #69 fixed this issue?

[MarcoDiGioia]

Can you tell me if #69 fixed this issue?

@sehnryr

I still can't get cookie saved on browser (with flutter for web)

I did some debug and I think it's an issue with http library: xhr.responseHeaders seems to not contains my Set-Cookie response headers in BrowserClient.send method.
Anyway I don't really know what is happening because I can see all my response headers in chrome network with right domain (es app.local, that I'm using for flutter app and also for my backend)

Instead, when is not web (so using IoClient) all response headers are present in client response

I opened an issue on dart-lang/http#726 for this

[sehnryr]

@MarcoDiGioia, I've added the withCredentials argument in #80 which is false by default but will permit to handle cookies when set to true.