set-cookie header not working

Question

I'm developing a small site w/ Go and I'm trying to set a cookie from my server.

I'm running the server on localhost, with 127.0.0.1 aliased to subdomain-dev.domain.com on port 5080.

My When I receive the response for my POST to subdomain-dev.domain.com:5080/login I can see the set-cookie header. The response looks like this:

HTTP/1.1 307 Temporary Redirect
Location: /
Set-Cookie: myappcookie=encryptedvalue==; Path=/; Expires=Fri, 13 Sep 2013 21:12:12 UTC; Max-Age=900; HttpOnly; Secure
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Date: Fri, 13 Sep 2013 20:57:12 GMT

Why isn't Chrome or Firefox recording this? In Chrome it doesn't show up in the Resources tab. In FF I can't see it either. And in neither do I see it in future Request headers.

Answer 1

this will solve the problem okk

cookies extra option to be

secure: true, httpOnly: true, sameSite: "None", path: "/",

then

app.use(cors({ origin: "http://localhost:5173", credentials: true }));

and while requesting

const res = await axios.post(
        "http://127.0.0.1:3000/api/v1/product",
        form,
        { withCredentials: true }
      );

Answer 2

In my case the cookies were set correctly but I was reloading the page immediately after a successful login:

window.location.reload();

When I removed that line I saw that cookies were actually set, I could see them in dev tools. Now I am trying to understand why the cookies are cleared upon page reload on my website (I am testing under https://127.0.0.1:3000)...

Answer 3

Posting in case anybody new to web development, still struggling, with cookies not working. (as I was).

In order to get cookies working, you need to configure your cors settings on the server side and it seems like just "origin: *" wont do it.

I had to set my origin and then set my credentials to true on the server side. Example of how to do it if your using node- app.use(cors({ origin: "http://localhost:5173", credentials: true }));

Also on the frontend side when fetching data you need to make sure to set withCredentials to true. This options will include cookies and authentication headers in your XHR request.

example of doing it in axios- const response = await axios.get(url, { withCredentials: true });

Hope this may help someone struggling with this.

Answer 4

flask, flask_jwt_extended

My issue was, that I had a function (@Blueprint.after_app_request - that was run right before the response was sent back to client) that set a header on the response to refresh the cookie.

So my logout function added the header to expire the cookie, and the refreshing function refreshed my cookie.

So the response had following headers:

1. Expire the cookie.
2. Refresh the cookie.

Maybe this will help somone one day.

Answer 5

For others who have encountered this issue, the set of things I needed to do in order to get my cookie (I happen to be using fastapi-users on the backend and js fetch api on the frontend):

• change my cors configuration so that the set of headers was not "*" but fully specified (I pulled from the standard request fields)
• add cookie_samesite="none" to my cookie transport in my backend configuration
• add credentials: 'include' to my request in the fetch api

Answer 6

Found related github issue response cookies not being sent that helped.
In my case I am running react app under https (with mkcert tool) and making cross origin fetch request and get response. Cookies of the response is not set until I

1. specify credentials: 'include' for fetch request example fetch api

fetch('https://example.com', {
  credentials: 'include'
});

2. Specify these response headers from server

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:3000

Access-Control-Allow-Origin header has value of the url of my react app.

3. add these attributes of Set-Cookie Header Path=/; HttpOnly; Secure; SameSite=None using http cookies

Hope it helps someone!

Answer 7

In my case, I had to add this to my response:

access-control-expose-headers: Set-Cookie

I found here that my Set-Cookie header was not accessible to my client unless I added it to the exposed-header header. Hope this can help someone!

Answer 8

See that Secure string in the cookie?

Yeah, me too. But only after a few hours.

Make sure you're accessing your site by SSL (https:// at the beginning of the URL) if you've got the Secure flag set.

If you're developing locally and don't have a cert, make sure you skip that option.