Browser not keeping cookie from response header

Question

I am trying to do something supposedly simple and easy: set a cookie! But the browser (Chrome and Safari tested) is simply ignoring them. So the response headers look like:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:*
Connection:keep-alive
Content-Encoding:gzip
Content-Type:application/json; charset=utf-8
Date:Wed, 19 Jul 2017 04:51:51 GMT
Server:nginx
Set-Cookie:UserAuth=<some jwt>; Path=/; Domain=10.10.1.110; Expires=Wed, 19 Jul 2017 12:51:51 GMT; HttpOnly; Secure
Transfer-Encoding:chunked
Vary:Origin

The request does include withCredentials=true. But the cookies section in Chrome is empty. I've tried removing the domain altogether, removing the path, every configuration I can think of, but the browser just won't play ball.

What am I missing?

Answer 1

So it turns out that the original request had 'withCredentials=true' as a request header rather than being set on the XMlHttpRequest config object.

Answer 2

Your cookie showing HttpOnly; Secure;

Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie

The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

Cookies will be interrupted if travel through HTTP with secure flag in TLS layer. So check your preference and set the configuration of cookies accordingly.