Why is expressjs sending Set-Cookie header with every OPTIONS response?

Question

I've observed that my express server sends a Set-Cookie header in response to every OPTIONS request made by my front-end Angular.js project.

The cookie has a new value on each of the OPTIONS requests, but is never actually stored by Chrome.

When I use passport.js to authenticate a user, the response to the POST request has the same header (again with a new cookie), but this time I can see that it is stored, and sent with subsequent requests in the Cookie header.

Which express module is doing this, and why? And why does Chrome not store the cookie?

This is more curiosity than anything, as it's not causing any problems (just caused a lot of confusion when trying to track one down).

Answer 1

The method OPTIONS are not supposed to have a side-effect. See this HTTP 1.1 documentation

OPTIONS is a request for information to the server. Such request is not considered as real interaction between a user and server. The server likely makes the information available to all users.

The browser respects this and chooses to ignore the cookies, conforming to the specification. That said it is security risk passing cookie data to user openly. Even if it is not valid, it can reveal server-side internals, which can allow hackers to exploit it.

Answer 2

pretty sure this is a bug with the current session module. if you're using the new cookies session, then you won't hit this problem. feel free to file a bug: https://github.com/expressjs/session