firebase cloud function won't store cookie named other than __session
If you are using Firebase Hosting + Cloud Functions, __session
is the only cookie you can store, by design. This is necessary for us to be able to efficiently cache content on the CDN -- we strip all cookies from the request other than __session
. This should be documented but doesn't appear to be (oops!). We'll update documentation to reflect this limitation.
Also, you need to set Cache-Control Header as private
res.setHeader('Cache-Control', 'private');
Firebase https function unexpectedly strips `set-cookie` header
Oh my goodness I figured it out! The firebase function is setting the "set-cookie" header normally. The issue is twofold:
The domain associated with the firebase function is a google domain. You can't set functions for other domains (this is a browser restriction), so a hosted function cannot set a cookie for localhost. It also can't set a cookie for your app domain (which will be different than the domain associated with the function). You'll need to alias the function under your own domain for the ability to set cookies for your own domain (this won't help in development though). See this issue: https://stackoverflow.com/a/51461847/5490505.
This one really annoys me, Google Chrome (v71) automatically hides the "set-cookie" header from the response if its being sent by another domain. If you were attempting to set the cookie for the app's domain, in this case the cookie wouldn't be set anyway, because of browser restrictions. If you don't specify the domain of the cookie however, then the cookie is set for the domain associated with the function, but Google Chrome doesn't show you the header and you have no idea it was set unless you examine your browser's saved cookies. This also gives the appearance that the header isn't even being included in the response, when it is. I thought that the cloud function was stripping the "set-cookie" header, when in fact Google Chrome was stripping the "set-cookie" header. I really don't like this design decision. It made debugging SO hard and I wasted so many more hours on this problem. Firefox behaves as expected, showing you the "set-cookie" header.
I'll also note that, for my purposes, the firebase function is setting a secure
, httponly
, cookie that is only read by other functions. In this case, having the domain of the cookie be the domain associated with the functions is totally fine (my client side app never looks at the cookie anyway). As such, even though Chrome doesn't show the "set-cookie" header, the cookie is being set and everything is working fine. Another reason why Chrome's design decision is so, so bad.
Related Topics
JavaScript Getter for All Properties
Conditionalpanel JavaScript Conditions in Shiny: Is There R %In% Operator in JavaScript
R Shiny Build Links Between Tabs
Access JavaScript Property Case-Insensitively
Js Replace Not Working on String
How to Save a Leaflet Map with Drawn Shapes/Points on It in Shiny
Change Second Select List Based on First Select List Value in Rails
Js.Erb Not Executing JavaScript But Is Processed Rails
Embed a JavaScript Engine in an iOS Application
Twitter Bootstrap Rails Button Dropdown No Responding to Ajax
Programmatically Select Text in a Contenteditable HTML Element
Calling Node.Js Script from Rails App Using Execjs
Meteor: Calling an Asynchronous Function Inside a Meteor.Method and Returning the Result
How to Use Jquery in Firefox Extension
How to Pass an Object into a State Using Ui-Router
How to Create Query Parameters in JavaScript
How to Return Multiple Lines Jsx in Another Return Statement in React