i followed the sample of authorized-https-endpoint and only added console.log to print the req.cookies, the problem is the cookies are always empty {} I set the cookies using client JS calls and they do save but from some reason, I can't get them on the server side.

here is the full code of index.js, it's exactly the same as the sample:

'use strict';

const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp(functions.config().firebase);
const express = require('express');
const cookieParser = require('cookie-parser')();
const cors = require('cors')({origin: true});
const app = express();

const validateFirebaseIdToken = (req, res, next) => {
  console.log(req.cookies); //// <----- issue this is empty {} why?? 
  next();
};

app.use(cors);
app.use(cookieParser);
app.use(validateFirebaseIdToken);
app.get('/hello', (req, res) => {
  res.send(`Hello!!`);
});

exports.app = functions.https.onRequest(app);

store cookie:

curl http://FUNCTION_URL/hello --cookie "__session=bar" // req.cookies = {__session: bar}

doesn't store:

curl http://FUNCTION_URL/hello --cookie "foo=bar" // req.cookies = {}

If you are using Firebase Hosting + Cloud Functions, __session is the only cookie you can store, by design. This is necessary for us to be able to efficiently cache content on the CDN -- we strip all cookies from the request other than __session. This should be documented but doesn't appear to be (oops!). We'll update documentation to reflect this limitation.

Also, you need to set Cache-Control Header as private

res.setHeader('Cache-Control', 'private');