Skip to content
GitLab
Open
Issue created by Administrator@rootContributor

Add support for removing the 'secure' attribute on proxied cookies

Created by: edmorley

Our use case:

  • When working on the UI of a product locally, it's useful to be able to point it at the stage/prod REST API so it can be tested with live data, and not just that in the local Vagrant instance etc
  • In production the UI and API are on the same domain, so to avoid cross-domain issues locally we use webpack-dev-server's proxy mode (which makes use of http-proxy-middleware which itself uses node-http-proxy), to proxy requests from eg http://localhost:5000/api/* to https://prod-app.com/api/*.
  • Production is served over HTTPS and so sets the secure cookie attribute.
  • The local environment does not use HTTPS (it's something I'd like to explore in the future, it just makes integration with our full-stack Vagrant workflow more complicated).
  • As such, the browser ignores the proxied cookie and doesn't associate it the HTTP localhost UI.

If there was an option to strip the secure attribute from the proxied cookie, we could use the workflow above.

Example response:

curl -i "http://localhost:5001/api/auth/login/" <SNIP>

HTTP/1.1 200 OK
...
set-cookie: sessionid=REDACTED; expires=Wed, 24-May-2017 11:35:14 GMT; httponly; Max-Age=1209600; Path=/; secure
set-cookie: csrftoken=REDACTED; expires=Wed, 09-May-2018 11:35:14 GMT; Max-Age=31449600; Path=/; secure