Cookies not set if secureCookieAttribute and httpOnlyCookieAttribute is true

[donn1123]

Environment

• Operating System: Windows_NT
• Node Version: v20.17.0
• Nuxt Version: 3.13.2
• CLI Version: 3.13.2
• Nitro Version: 2.9.7
• Package Manager: [email protected]
• Builder: -
• User Config: compatibilityDate, devtools, app, css, modules, plugins, dayjs, runtimeConfig, build, auth, vite, hooks, i18n
• Runtime Modules: @pinia/[email protected], @sidebase/[email protected], @nuxtjs/[email protected], [email protected], ()
• Build Modules: -

Reproduction

Here's my auth setup in nuxt.config

auth: {
baseURL: '<API_URL>',
globalAppMiddleware: true,

provider: {
  type: 'local',
  endpoints: {
    signIn: { path: '<api>', method: 'post' },
    getSession: { path: '<api>', method: 'get' },
  },
  token: {
    signInResponseTokenPointer: '/access',
    maxAgeInSeconds: 300,
    sameSiteAttribute: 'none',
    secureCookieAttribute: process.env.NODE_ENV === 'production',
    httpOnlyCookieAttribute: process.env.NODE_ENV === 'production',
  },
  refresh: {
    isEnabled: true,
    endpoint: { path: '<api>', method: 'post' },
    refreshOnlyToken: true,
    token: {
      signInResponseRefreshTokenPointer: '/refresh',
      refreshRequestTokenPointer: '/refresh',
      maxAgeInSeconds: 60 * 60 * 24 * 1,
      sameSiteAttribute: 'none',
      secureCookieAttribute: process.env.NODE_ENV === 'production',
      httpOnlyCookieAttribute: process.env.NODE_ENV === 'production',
    },
  },
},

},

Describe the bug

When I refresh the page it goes back to login page again. I notice that the auth.token and refresh token are not set in browser cookies. In my local or even in prod, when I set secureCookieAttribute and httpOnlyCookieAttribute to false, the tokens are added and everything works just fine. The problem only happens when I set TRUE secureCookieAttribute and httpOnlyCookieAttribute.

My backend where I call the api is using JWT and I also tried adding
Set-Cookie: auth.token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...; HttpOnly; Secure; SameSite=Lax; Path=/; Expires=<some expiration date> in the login api response.

Additional context

No response

Logs

No response

[julienguillot77]

I’m facing same issue. Please someone can fix it ?

[Aniket-Harmoney]

Hi, is this issue being solved for. Because I'm in dire need of setting httpOnly cookies and setting httpOnlyAtrribute to true in nuxt.config.ts is just not working. If not then is there any workaround I can do for this, need to solve this as security risk asap? @zoey-kaiser

[zoey-kaiser]

Hey everyone 👋

I am responably sure that this issue is a duplicate of #851. Therefore I would continue the discussion there around httpOnly not being correctly set!

@donn1123, one thing I noticed that in your nuxt.config.ts you are setting some values dynamically using process.env.NODE_ENV === 'production'.

The nuxt.config.ts gets compiled at build time (when you run nuxi build) and not at runtime (when you start the built application). Therefore if you do not set the NODE_ENV to production when building this could cause issues.

I cannot know if this could affect you, however I did just want to point out that pitfall, as it could create potenial issue 😊