Not able to set server side cookies

Highlighted
Tourist
4 0 1

Hi,
We are developing an app for Shopify, The app should be able to set server side cookies to avoid Apple's ITP 2.1 restrictions. I see the possibility of inserting piece of javascript code to theme.liquid file or by inserting scriptTags with the logic of saving cookies. But since these are executed at frontend or on browser, the cookies set by this way are treated as client side cookies and this has limitation of only 7 days in safari browsers.

So we need to find a way in Shopify to set server side cookies. The task of the app is, in Shopify based e-commerce websites, it has to read the url from browser and capture a specific parameter if exist in url and set this as server side cookie. That means on loading of the pages, Shopify should responds with all html, javascript of the page and in addition to that it should have response headers with set-cookie: <parameter>=<value>. But I read through lot of documentations, I could not get the solution anywhere.
could you please let me know if there is a way for this?

Note:- We are developing the same app for Magento platform as well, we are able to set server side cookies there. This restriction on Shopify making us to deal with lot of architecture changes. So showing us the way is much appreciated.

1 Like
Highlighted

Hi @ashok_tatikonda ,

 

What you are trying to do shouldn't be difficult, but your questions is extremely broad. I would suggest more information:

 

What server platform technologies are you using?

Code snippets of what you are trying now.

 

etc etc.

 

Best regards, GMKnight.

Store owner and app developer.
0 Likes
Highlighted
Tourist
4 0 1

Thanks for your response @GMKnight .

 

Please find the details below.

 

1. Server platforms I am using is Node js, Polaris, Koa, React JS as per lates Shopify documentation for app development.

2. Please find the code snippet below which is trying to set a cookie in response header. We inserted a javascript code in theme.liquid file which will call the below API, so the below API responds with cookie, so that we wish it can be stored in browser as server side cookie. I see the API is working properly, even we see Set-Cookie in response header in Firefox browser, but could not see it in browser cookies (storage). In other browsers, we are not seeing even the Set-Cookie in response headers.

 

router.get('/setC', async (ctx) => {
console.log("finally....");
var contentType = 'application/json';
var content='{"key": "value"}';
 
ctx.res.setHeader('Access-Control-Allow-Origin', '*');
ctx.res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
ctx.res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type,Set-Cookie');
ctx.res.setHeader('Access-Control-Allow-Credentials', true);
ctx.res.setHeader('Access-Control-Allow-Cookies', true);
ctx.res.setHeader('Access-Control-Expose-Headers', 'Content-Length,Set-Cookie');
 

// ctx.cookies.set("testcookie", "testvalue", {
// httpOnly: false,
// secure: false,
// sameSite: 'strict'
// });
 
ctx.res.writeHead(200, {
'Set-Cookie': 'TestCookie=choco; SameSite=Lax; Secure=False; HttpOnly=False',
'content-type': contentType
});
console.log("content type is ", contentType);
 
ctx.res.end(content);
});
 
Please let me know if you need more details.
0 Likes
Highlighted

Hi @ashok_tatikonda ,

 

I'm on a critical project this morning but will try to find a more complete answer for you later today. 

So just speculating ... Couple of things that come straight to my mind:

 

1) Unless it's your own theme I'd recommend using a Script Tag rather than inserting JS into the Theme, perhaps even if it IS your own theme.

 

2) ctx.cookies.set would be the usual method of setting cookies I believe.

 

3) It's possible that a domain-thing is going on here stopping you from seeing the cookies in the browser dev tools. I'm interested - can you send subsequent requests back to the server and see the cookie being sent back with the request?

 

4) Could be related to CORS ... is there any way you can test without CORS? Do you even need those headers for an app? The app is installed for the merchant who runs the app and owns the domain and it seems that you may not need these? 

 

GMKnight.

Store owner and app developer.
0 Likes