Serverless express app does not set cookies

Hello everyone,

I’m having a peculiar issue with an express app that does not send http-only cookies.
Some quick resources:

When I make a successful login attempt, before returning the JWT, I also return a cookie that contains the refresh token. But somehow the cookie is not set on the frontend (which is a basic Next app). This cookie is correctly set on localhost, but not when I deploy it to Netlify.

Do you have any idea what’s going on?

Best wishes,

Hmm… setting cookies from functions is definitely possible. Are you seeing any error in the console? If so, it’d be great to see a screenshot. And either way, a request id would let us check our logs in case we see any clues there.

In the meantime, here’s an example of a function that sets a jwt cookie:

Hello Jen,

Thanks for your response and the example from futuregerald’s repo. I have made some updates to my GET profile route to be more similar with it. But I still do not receive the cookie in the frontend.

I do not see any errors in the console (in the functions tab of my app). I can share the response headers, which includes the request id:

HTTP/2 200 OK
access-control-allow-credentials: true
cache-control: no-cache
content-length: 198
content-type: application/json; charset=utf-8
etag: W/"c6-FjbP20F3CpJj+OGTG98nz16lbhg"
set-cookie: current_timestamp=1608547800547; Path=/
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
date: Mon, 21 Dec 2020 10:50:00 GMT
age: 0
server: Netlify
vary: Origin
x-nf-request-id: 8e1adbfd-da2f-49e2-b040-10e09957c490-17199041
X-Firefox-Spdy: h2

Best wishes,

Thanks so much, that’s helpful- checking our logs for that ID, I am seeing this error:
"Failed to parse token" error="signature is invalid" in response to a GET request to Can you try logging the signed payload when deployed vs. locally and see if they differ?

Hello Jen,

Please excuse my negligence, that URL was under an authentication middleware and I believe the error message is a valid one. To correct this, I have created this public page

On clicking the button, it triggers a GET request on the public URL, which should send some cookies to the frontend, as you can explore in the request headers from that request.

The request id is now b619cded-aaef-415d-a297-3cc611ed8a91-17070907.

Best wishes,

Thanks for that! I didn’t see anything surprising in our logs, but I did confirm that the cookie wasn’t set :frowning: I’ll put this in front of my colleagues in case they have any ideas about what the problem could be.

One alternative to try would be setting the cookie in the function response, like this:

exports.handler = async function(event, context) {
    return {
      statusCode: 200,
      headers: {"set-cookie": "cookieName=cookieValue; HttpOnly"}