CookieSessionStorage httpOnly flag #2447

Unanswered

TaunoOtti asked this question in Help

TaunoOtti
Jan 22, 2023

Hi, cookie session should have httpOnly flag but it hasn't.

  session: CookieSessionStorage('__session', {
    httpOnly: true,
    secure: import.meta.env.VITE_NODE_ENV === 'production',
    sameSite: 'Strict',
    path: '/',
    maxAge: 60 * 60 * 24 * 7,
  }),

await session.set('customerAccessToken', accessToken);

/login response set-cookie header:

set-cookie: __session=%7B%22customerAccessToken%22%3A%2227bf696526198XXXX614b690b978580f%22%7D; Expires=Sun, 29 Jan 2023 16:35:43 GMT; Path=/

Am I doing something wrong?
Tried also with demo Stackblitz code and the result is same - no httpOnly flag.
https://stackblitz.com/edit/shopify-hydrogen-mf1bca?file=README.md

Replies: 0 comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment