Invalid cookie value

[seemsindie]

I have a blank server running with just , and it's working fine. But when i forward the port trough NAT because i have server listening inside VM and when i try to access the API on the host machine i get this:
{"statusCode":400,"error":"Bad Request","message":"Invalid cookie value"}

Any idea why is this happening, and how to fix it?

[edimoldovan]

Looks like a validation error, at least I get similar responses when validation fails. Do you have any kind of request validation in there?

[seemsindie]

nope, just this:
server.route({
method: 'GET',
path: '/',
handler: function(req, res) {
res('Hello World!');
}
});

[edimoldovan]

Just tried your code, works perfectly here. Can you post the rest of your app.js?

[MathieuLoutre]

I've seen that before and I'm not sure what's exactly happening (although nothing as complex as port forwarding was needed, just a simple server). The server wasn't even using any cookie related thing explicitly (no cookie auth etc.). Can you try in an incognito window?
I suspect a malformed cookie has been set somehow and hapi can't deal with it.

[seemsindie]

@edimoldovan
var Hapi = require('hapi');

var server = new Hapi.Server();
server.connection({ port: 3000 });
server.route({
method: 'GET',
path: '/',
handler: function(req, res) {
res('Hello World!');
}
});

server.start(function () {
console.log('Server running at:', server.info.uri);
});

But there is no issue on the host machine, but where the port is forwarded.

@MathieuLoutre Yes, it works in incognito, do you know witch cookie is the issue?

[MathieuLoutre]

@seemsindie no clue. But if you find out, I'm interested!

[seemsindie]

@MathieuLoutre i have another project on same domain 'localhost', and that project have two cookies, tr and tr_tkn. Can i somehow turn off cookie parsing, or if i can parse what i just want?

[MathieuLoutre]

Hum, I'm not 100% sure as I haven't done it myself, but I'd look here: https://github.com/hapijs/hapi/blob/master/API.md#route.config.state

[seemsindie]

@MathieuLoutre Yep, i just added

config: {
      state: {
        parse: false, // parse and store in request.state
        failAction: 'ignore' // may also be 'ignore' or 'log'
      }
    }

to the route and it's working.
Thanks man!

[MathieuLoutre]

Nice! Happy that we found a solution :)

[danielb2]

This happens at least when there's a space in the cookie. When dealing with legacy code and migration, this can be an issue. Should hapi really fail completely here?

[stefanwille]

I just got the same error on a freshly installed Hapi with the "hello" example from the homepage. After adding the config to the route by Mathieu it worked. Not a good experience.

It still worked after deleting all my cookies for the domain (which was localhost).

[vv13]

thank u very much.

[george-norris-salesforce]

Wait, you have to ignore a "failAction" to make cookies work? Is there another way?

[blex41]

@george-norris-salesforce you can also disable the server.options.state.strictHeader option to allow malformed cookies:

const server = new Hapi.Server({
    host: '0.0.0.0',
    port: 3000,
    state: {
      strictHeader: false
    }
});

I had the same problem with a cookie value from a third party which included spaces. This fixed it.

[lucaswxp]

I solved like this

server.connection({
  host: '0.0.0.0',
  port: port,
  state: {
    ignoreErrors: true
  },
  }
});

[svallory]

This just happened to me. It happens due to a malformed cookie. The boom error data contains the name of the cookie which is breaking the request parsing. If you delete it, the problem is fixed

[lucaswxp]

@svallory In case the cookie is generated in a third-party service which you have no control, I recommend the configuration above.

[BigBlueHat]

For posterity, Microsoft's MSAL authentication libraries use un-escaped spaces in their cookie values. Consequently, strictHeader: false (per above) is required to use those client-side libraries with a hapi-based server.