can I pass headers to redirected location after redirection?

Question

here's response header of my redirection endpoint with status code 302.

"Location": "http://<target-domain>",
"Set-Cookie": "username=user1;"

I can see it redirects correctly to 302. but the cookie does not get set on the <target-domain>

Looks like the header "Set-Cookie": "username=user1;" does not get passed to the <target-domain> on redirection.

I see 2 network activities in my development tool,

1. redirection endpoint responds with status code 302. I see Location and Set-Cookie in the response header.
2. target domain responds with status code 200. I don't see Location and Set-Cookie anymore.

Is there a way to set the cookies on the <target-domain>?

Answer 1

You can't set cookies on a domain other than the one you're on, so basically no. The only exception to this is you can set cookies on example.com if your current domain is something like subdomain.example.com, where you can attach the cookies to a shorter form of your domain, but it must be the same base domain.

If you need the other site to set a cookie with a value it does not know, you'll have to pass that value through somehow. Using a redirect with a query string leaves it open to tampering by the user unless you cryptographically sign it (annoying) or ship over a token that can be used to retrieve the raw value. You may need a short-term store for this, like Redis, Memcached, or even a database row you can purge later.

If it were possible to set cookies on any domain at all there'd be utter chaos. These things are heavily restricted for a reason.