https://supertokens.com/ logo
Join Discord
Powered by
I tried setting some data using merge access token...
# support-questions-legacy
c
I tried setting some data using merge access token payload on the backend and then useSessionContxt to get the payload on the frontend. I am able to set the data properly on the backend but when I try to get it on the frontend it is always an empty object {}. Any idea why?
r
Hey!
Hey!
Can you print out the value of sFrontToken here that you see in the cookie on your browser? (After the backend has updated the access token payload)
Also, are you using axios or fetch when you make that api call?
c
axios and I have used done this: Session.addAxiosInterceptors(myAxios);
r
Hmmm
Can you enable frontend debug logs and show me the output of that when you make that api call?
c
How do I enable frontend debug?
r
Checkout troubleshooting section in docs
c
Will try that out... On a different not, I have cookie_secure=True? My understanding is that with cookie_secure=True, cookies will only be transmitted on https. I am developing on http://localhost. How come the cookies are getting transmitted anyway?
r
is your API domain on https?
c
No both are on localhost
r
hmmm and both with http?
c
fastapi localhost, nextjs localhost. Both http
r
thats weird
when you login, and you get the set-cookie header back, what is that value of that header?
c
Can't seem to get that the page refreshes
r
ok open the cookie store on the browser
and see the sAccessToken value
do you see a tick against the secure attribute?
c
Nope
r
hmm.
c
Wait
I do
Yes there is a tick on secure
r
right
c
and also http
httponly
r
so the browser is sending these cookies even if you are just using 
http://...
?
c
Yes
r
that's really odd
which browser?
c
This is chrome
Weird thing is I was using jwt_auth, a library for fast api
And it was the same
I set the secure flag to true, and the cookies transmit anyway
In fact, if you do not have secure=true,
Chrome will put a yellow triangle warning you
r
huh
c
So you have to use secure cookies else it wont work on chrome
r
this is very very strange
c
I think they made this adjustment a few years ago
r
never heard of this issue before
can I see the full request sent by chrome to one of the APIs which requires a session?
The URL, request headers, response headers
c
It says "The new rule demands that all cross-site cookies set in a browser have to be set with Secure attribute if they are to have None as their SameSite value. This is esoterically for cookies meant to be served in cross-site contexts only."
I will show you those tmr it's late here
r
yea.. but then you also need to send a query to https and not http
the fact that its sending the secure cookies with http, is just weird.
c
Yes
I would like to know why
Are you one of the ST devs?
Maybe they can help...
r
yup i am
can you open an issue about this on one of our repos? We can check it out
c
I think this was intended
secure works as expected except for "localhost"
r
Ahh I see
17 Views
PreviousNext
Powered by