I'm currently developing a mobile app using Flutter for iOS and Android for a customer whose application already exists for the web + has been setup in the form of a REST API already. The idea is to use the same backend for both the backend of the website + the backend of the mobile app; including authentication. The authentication currently works for the web application using multiple http-only cookies. So I initially though that I would need to ask the customer to include the cookie values within the response payload for requests incoming from the mobile app, as I did not expect httponly cookies to be available to Flutter code.
I now however noticed that, when using Dart's http package, I'm actually able to extract the value of all cookies, including the http-only cookies, via the response.headers property (set-cookie headers). That at least for now in development mode, when testing the app using flutter run, but with the real production REST API.
Is this normal and available by default for all clients / devices? So won't we have to code a workaround to be able to extract the http-only cookies values within Flutter?
You should not have a problem with Dart http requests, which translate to XMLHttpRequests.
Note that the HttpOnly flag is to stop JavaScript loaded by the page from reading the cookies attached to the response that loaded the page originally.
There's nothing to stop the JavaScript making a XMLHttpRequest and reading the headers (including cookies) of that response.
Note that if such a request is cross origin - i.e. CORS - then other rules come into play about which headers can be seen in the response. Just be sure to add the relevant headers to the CORS response headers added by the server.