302 redirect with lambda-function and custom domain not setting cookie

Support
1

Hi there

I’m having an issue getting a cookie set for https://deepdeepsheet.com/ (in production, localhost works fine)

If you visit that url you will be asked to log in using either Facebook or Google. The login flow works fine and FB or Google redirects to a lambda function:
https://deepdeepsheet.com/.netlify/functions/authReturn (the FB one)
https://deepdeepsheet.com/.netlify/functions/authReturnGoogle (the google one)

when FB/Google does the redirect they add some query parameters like ?code=blahblah&state=foo …but I don’t think that is important here

Those functions then do a 302 redirect that looks like this:
{
statusCode: 302,
headers: {
‘Location’: ‘https://deepdeepsheet.com’, // in the real code this comes from an environment variable
‘Access-Control-Expose-Headers’: ‘Set-Cookie’,
‘Set-Cookie’: cookie,
},
};
(I have been messing with this and trying various options)

The issue is getting the cookie set on the browser. In the network tab I can see two entries:

Request URL: https://deepdeepsheet.com/.netlify/functions/authReturn?code=BQLs81bO&granted_scopes=email%2Cpublic_profile&denied_scopes&state=dh44aa9j0b2f2jd0a6i8h399d

…this one is what I’m expecting…Response Headers contains my set-cookie for deepdeepsheet:

set-cookie: deepdeepsheet=I_ffcb9df4125f9eabc8639eff_S_6001c03542315d0008e85f9f; Max-Age=2592000; Secure

and Request Headers shows the deepdeepsheet cookie also:

cookie: deepdeepsheet=I_ffcb9df4125f9eabc8639eff_S_6001c03542315d0008e85f9f; G_ENABLED_IDPS=google; G_AUTHUSER_H=0

…but immediately below that entry in the Network tab I get this:

Request URL: Deep Deep Sheet

where the Request Headers have no set-cookie entry and the Response Headers show the cookies but without my deepdeepsheet one included:
cookie: G_ENABLED_IDPS=google; G_AUTHUSER_H=0

…I hope that is clear enough…

So what I’m trying to figure out is where that 2nd call is coming from - it seems to be overwriting my cookie.

Any clues/ideas you could give would be appreciated!

Thanks!
Simon

2

Hi again

Actually I figured out my own problem…but it took a while, so thought I’d share here in case anyone else had the same issue:

Bottom line: I needed to add Path=/ to the Set-Cookie directive

The problem was that the url that FB was redirecting to was like this:
https://deepdeepsheet.com/.netlify/functions/authReturn
(and Google’s was similar)

My lambda function at that address was then setting a cookie and redirecting to just
https://deepdeepsheet.com

So the cookie that I set had the path /.netlify/functions/authReturn, which made it unavailable at the root path /

Hence the need for the Path directive mentioned above. Just to spell it out, that authReturn endpoint returns this:

{
      statusCode: 302,
      headers: {
         'Location': 'https://deepdeepsheet.com,
         'Access-Control-Expose-Headers': 'Set-Cookie',
         'Set-Cookie': 'deepdeepsheet=cookieValueHere; Path=/; Max-Age=259200',
      }
}

Perhaps that seems really simple and obvious, but I was looking at all sorts of other things before I realized that.

Cheers
Simon

3 Likes
3

Thanks so much for sharing your fix! It’s a huge help to others who run into the same issue (and I’ve definitely seen others run into issues setting cookies from functions)

1 Like
4

This was really helpful! I spent like 15 minutes puzzling about why my cookie did not get updated. Thank you so much!

2 Likes
5

I only just saw your comment, but very glad to see my post helped!

1 Like