I am working on my first mobile app that connects to my website backend. I’m running into an issue with getting the session sid cookie set. My login API from mobile app is calling my
<form id="login1" method="post" is="dmx-serverconnect-form" action="https://ameforesight.com/api/registration/login" dmx-on:unauthorized="notifies1.warning('Unauthorized')" dmx-on:error="notifies1.danger('Uh oh, there was an error.')" dmx-on:success="notifies1.success('Nice!')" credentials="true" site="ameforesight_web">
The mobile app is running on local server. CORS is set up fine. I get a 200 response.
Response
:status: 200
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: http://localhost:62846
Set-Cookie: AWSALBTG=sEXJjL5ORG1f3Uxv/rCVTIV15BAWPVd3IVFgNC+rb4SdmZHpED41z/MhKu6PEa/ucNxvYndePb9ATYIXDTPr08CkQxwfnFJxbZAcHF2/YsAuJ6+jDsClV5+uc3g/Ywb3tejmUPjOO4dUruH8/L9Q+QBII4BLSUQVzoESagiI5kR5; Expires=Fri, 26 Jan 2024 21:27:27 GMT; Path=/
Set-Cookie: AWSALBTGCORS=sEXJjL5ORG1f3Uxv/rCVTIV15BAWPVd3IVFgNC+rb4SdmZHpED41z/MhKu6PEa/ucNxvYndePb9ATYIXDTPr08CkQxwfnFJxbZAcHF2/YsAuJ6+jDsClV5+uc3g/Ywb3tejmUPjOO4dUruH8/L9Q+QBII4BLSUQVzoESagiI5kR5; Expires=Fri, 26 Jan 2024 21:27:27 GMT; Path=/; SameSite=None; Secure
Set-Cookie: ameforesight_web.sid=s%3AMA_bX9ofW9TvliKWhqR24Uz644qlakQ5.ebHsyimZGrolxSUtZpPS2JhFXINgZYWE6%2BgVmTtksrc; Path=/; HttpOnly
Via: 1.1 70e229d4eacd4f08ec9e3ff9e96d427e.cloudfront.net (CloudFront)
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Date: Fri, 19 Jan 2024 21:27:28 GMT
Access-Control-Allow-Credentials: true
Content-Length: 16
X-Content-Type-Options: nosniff
ETag: W/“10-1hdmAldvBsUj9RCnmAnVo/K8SQI”
X-Frame-Options: SAMEORIGIN
Vary: Origin, Accept-Encoding
x-amz-cf-id: 3dJaSqgMccSeVu3eUkl76EUOoL0HGKTAJik2s6fLdprFfoXTSaYA-g==
x-cache: Miss from cloudfront
x-amz-cf-pop: MCI50-P2
permissions-policy: geolocation=(*), camera=(), microphone=(), display-capture=()
Strict-Transport-Security: max-age=31536000
The problem is the session cookie doesn’t seem to get set (can’t see it in my local cookies), so it is like I am not logged in. All my other server connect tasks use Security Restrict - so I just get an unauthorized response.
How can I get the session sid cookie to set? I have tried turning off the “Secure” feature on the cookie.
Any advice would be appreciated.