Auth v6 - How to set cookie HttpOnly? ( Token-saving mechanism - Cookie Storage )

[hanoj-budime]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

# Put output below this line
  System:
    OS: Windows 10 10.0.19045
    CPU: (12) x64 AMD Ryzen 5 PRO 4650U with Radeon Graphics
    Memory: 3.37 GB / 15.23 GB
  Binaries:
    Node: 18.19.0 - C:\Program Files\nodejs\node.EXE        
    Yarn: 1.22.21 - ~\AppData\Roaming\npm\yarn.CMD
    npm: 9.6.3 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: Chromium (123.0.2420.97)
    Internet Explorer: 11.0.19041.3636
  npmPackages:
    @vitejs/plugin-react: ^4.2.0 => 4.2.1
    aws-amplify: ^6.0.30 => 6.0.30
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    react: ^18.x => 18.2.0
    react-dom: ^18.x => 18.2.0
    react-icons: ^4.11.0 => 4.12.0
    react-router-dom: ^5.2.0 => 5.3.4
    start-server-and-test: ^2.0.3 => 2.0.3
    styled-components: ^5.0.1 => 5.3.11
    styled-components/macro:  undefined ()
    styled-components/native:  undefined ()
    styled-components/primitives:  undefined ()
    vite: ^5.0.0 => 5.1.4
    vite-plugin-node-polyfills: 0.17.0 => 0.17.0
  npmGlobalPackages:
    @aws-amplify/cli: 10.4.1
    npm: 9.6.3
    nx: 16.7.4

Describe the bug

How do you set the HttpOnly flag for cookies?

Expected behavior

Basically, I want to ensure that our cookies are more secure. Is it recommended to enable both 'HttpOnly' and 'Secure'?

Use secure cookies: Always mark cookies containing sensitive information as secure, ensuring they are only transmitted over HTTPS connections.
HttpOnly flag: Set the HttpOnly flag on cookies to prevent client-side scripts from accessing them. This mitigates risks like XSS attacks, where an attacker injects malicious scripts into a web page to steal cookies.

Reproduction steps

1. Amplify v6
2. Token-saving mechanism with Cookies

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hello, @hanoj-budime and thanks for opening this issue. The feature request to have support for httpOnly cookies is also captured within issue #8147, so we'll close this as a duplicate. The one difference I'll call out between the the two issues is that it looks like you're developing a React app, which would inherently be client side. The feature and solution we are looking into for httpOnly cookies would be exclusive to having this capability on the server side.

But again, we're looking into a solution at this point and will communicate progress on issue #8147 for httpOnly cookie support. Let us know if there are further questions and feel free to upvote, comment, or add additional context to the other issue. Thanks!