I have a flow set up so that my server sends a session cookie to the client, and in subsequent requests the client sends the cookie back to the server. I tried this on two browsers: Arc and Edge. Both the server and client are hosted on localhost.

It works when I navigate to the endpoint manually (i.e. typing it into my browser and visiting it).

I’d like for the server to receive the cookie in the incoming request, but that’s not happening.

This is my code on the Qwik side.

export const useMe = routeLoader$(async (requestEvent) => {
    console.log(requestEvent.cookie.get('connect.sid'))
    console.log("Fetching the data.")

    const response = await fetch("http://localhost:3000/me", {
        credentials: 'include',
    });

    const data = await response.json();
    console.log(data)
    return data
})

I checked ‘Network’ to see if it actually sent a cookie with the request. Looking good, I believe.

Cookie “connect.sid” shows up. Does not present an issue according to the tool.

To make extra sure I logged the cookie data on the request, and the resulting response status as well.

{
  value: 's:Flx_Pz1Ort0emSq9LPRw2WLnBv4COhjD.An94X96us69JhLYnberFJru7QZVyZTL7Ze23zEbxCBc',
  json: [Function: json],
  number: [Function: number]
}
Fetching the data.
{ message: 'Forbidden resource', error: 'Forbidden', statusCode: 403 }

This is my Nest bootstrap() code.

async function bootstrap() {
  let redisClient = createClient()
  redisClient.on("error", err => console.log("Redis error: ", err))
  redisClient.on("connect", () => console.log("Redis connected."))
  redisClient.connect().catch(console.error)

  let redisStore = new RedisStore({
    client: redisClient,
    prefix: "scurvy:",
  })

  const app = await NestFactory.create(AppModule, { cors: {
    credentials: true,
    
  } });
  app.use(
    session({
      secret: process.env.SESSION_SECRET,
      resave: false,
      saveUninitialized: false,
      store: redisStore,
      rolling: true,
      cookie: {
        maxAge: 360000,
        secure: false,
        domain: "localhost",
        httpOnly: false
      }
    })
  );

I logged what the server received. No cookie header.

{
  host: 'localhost:3000',
  connection: 'keep-alive',
  accept: '*/*',
  'accept-language': '*',
  'sec-fetch-mode': 'cors',
  'user-agent': 'node',
  'accept-encoding': 'gzip, deflate'
}

As you can see, I’ve tried credentials: 'include', httpOnly: false, credentials: true server-side, et cetera. I’ve even tried editing browser privacy settings to no avail. If there’s something I’m missing or if something’s unclear, please let me know.