httpOnly cookie authentication #530

Closed Answered by enisdenjo

4lp asked this question in Q&A

httpOnly cookie authentication #530

Jan 16, 2024

· 1 comments · 1 reply

Answered by enisdenjo Return to top

4lp
Jan 16, 2024

Is there any way to use an httpOnly cookie for authentication in graphql-ws? The http graphql library I'm using include a credentials option to set cookies for those requests but I haven't be able to find anything similar for this library. Right now I'm having to exact a JWT from a cookie and use the value for the request authorization header, meaning I can't set it as httpOnly.

Answered by enisdenjo

The browser native WebSocket automatically sends cookies alongside the upgrade request. There are no credentials configuration options when instantiating a WebSocket. Also see #257 (comment).

Furthermore, there's no way you can set custom headers in the browser's WebSocket.

Also beware that httpOnly cookies cant be accessed from JavaScript.

View full answer

Replies: 1 comment 1 reply

enisdenjo
Jan 16, 2024
Maintainer

The browser native WebSocket automatically sends cookies alongside the upgrade request. There are no credentials configuration options when instantiating a WebSocket. Also see #257 (comment).

Furthermore, there's no way you can set custom headers in the browser's WebSocket.

Also beware that httpOnly cookies cant be accessed from JavaScript.

1 reply

4lp Jan 16, 2024
Author

thanks for the quick reply! based on the links you provided it doesn't seem like this is possible so I'll just have to use my current strategy

Answer selected by enisdenjo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment