Why isn't my "Set-Cookie" response header getting translated into an actual cookie?

Question

I'm using Java 8, Wildfly 11, Spring 4 and Apache 2.4. I have this Java code that sets the session cookie

cookie = new Cookie(SESSION_ID_KEY, sessionId);
...
final String domain = request.getServerName().indexOf(".") == -1 ? request.getServerName() : request.getServerName().substring(request.getServerName().indexOf(".") + 1, request.getServerName().length());
if (!StringUtils.equals(domain, "localhost") && !isIpAddress)
{
            cookie.setDomain(domain.indexOf('.') > -1 ? "." + domain : domain);
}   // if
final String contextPath = request.getContextPath() != null && request.getContextPath().endsWith("/") ? request.getContextPath().substring(0, request.getContextPath().length() - 1): request.getContextPath();
cookie.setPath(contextPath);
System.out.println("setting domain " + domain + " and context path:" + contextPath);
response.addCookie(cookie);

I'm noticing in my browser this cookie isn't getting created. Then I looked in Postman, and noticed that the cookies weren't getting created, although I see these response headers ...

Set-Cookie →MY.SESSION.ID=10c25010534c4dd3900851ec1dfaebeb; path=/context; domain=.compute-1.amazonaws.com
Set-Cookie →closeTrialNoteDialog=""; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT

It would seem that when a cookie isn't created, the response header still contains this Set-Cookie header. I can't tell what's wrong with either of the above, though, that would prevent the cookie from getting created. Any insight is appreciated,

Answer 1

Cookie domains must be Private Domains, specific to your organization, not Public Domains, used by many organizations.

In this case, the AWS domain you are using, .compute-1.amazonaws.com, isn't being set because browsers consider this to be a Public Domain, specifically known as "Effective Top Level Domain (eTLD)", "Extended Top Level Domain", and "Public Suffix". Common top level domains (TLD) include "generic TLDs" (gTLD) like .com, .net and .org and "country-code TLDs" (ccTLD) like .us and .uk. With the public cloud, browsers now also consider popular shared, cloud domains to be "effective TLDs" including a number of domains from AWS such as the one you are attempting to use.

To set your cookie, you will need to set your cookie domain to a private domain, what Google calls "Effective Top Level Domain plus one" (eTLD+1) which means your Effective Top Level Domain plus one subdomain, e.g. your entire fully-qualified hostname in this instance - ec2-27-123-206-78.compute-1.amazonaws.com. Microsoft uses the term "Public Suffix plus one" (PS+1) for the same requirement.

Mozilla Foundation Reasoning for Excluding eTLD / Public Suffix

• Avoid privacy-damaging "supercookies" being set for high-level domain name suffixes
• Highlight the most important part of a domain name in the user interface
• Accurately sort history entries by site

• Reference: https://publicsuffix.org/ (Mozilla Foundation)

Microsoft Reasoning for Excluding eTLD / Public Suffix

When setting a cookie, a website may specify which hosts the cookie should be sent to using the domain attribute. The browser must block attempts to set a cookie where the domain attribute does not end with the current page’s Private Domain. Failure to do so results in privacy and security concerns.

• Privacy: Allowing unrelated domains to share cookies can result in “super-cookies”-- cookies which are sent to multiple unrelated organizations that happen to share a Public Suffix.
• Security: Session-fixation attacks, where a good site and an evil site share a Public Suffix, and the evil site sets a malicious cookie on the Public Suffix so that the Good site is sent the evil cookie.

• Reference: https://blogs.msdn.microsoft.com/ieinternals/2009/09/18/understanding-domain-names-in-internet-explorer/

Google Chromium / Chrome Behavior

Google indicates Chromium (and thus Chrome) stores cookies using "eTLD+1" in the description of its CookieMonster class.

The central data structure of a CookieMonster is the cookies_ member, which is a multimap (multiple values allowed for a single key) from a domain to some set of cookies. Each cookie is represented by a CanonicalCookie(), which contains all of the information that can be specified in a cookie (see diagram and RFC 2695). When set, cookies are placed into this data structure, and retrieval involves searching this data structure. The key to this data structure is the most inclusive domain (shortest dot delimited suffix) of the cookie domain that does not name a domain registrar (i.e. "google.com" or "bbc.co.uk", but not "co.uk" or "com"). This is also known as the Effective Top Level Domain plus one, or eTLD+1, for short.

• Reference: https://www.chromium.org/developers/design-documents/network-stack/cookiemonster

List of Domains including amazonaws.com

You can see the list of effective top level domains used by Firefox in it's source code published on Mozilla's PublicSuffix.org. The Google CookieMonster page references PublicSuffix.org as well. This list includes a number of AWS domains including the one you are attempting to use for EC2, submitted by Amazon.

// Amazon Elastic Compute Cloud : https://aws.amazon.com/ec2/
// Submitted by Luke Wells <psl-maintainers@amazon.com>
*.compute.amazonaws.com
*.compute-1.amazonaws.com
*.compute.amazonaws.com.cn
us-east-1.amazonaws.com

• Reference: https://publicsuffix.org/list/effective_tld_names.dat

Note: I just noticed saurav kumar posted the Mozilla links to this in a comment.

Answer 2

Your problem that you are trying to set Cookie for Amazon EC2 instance. From one side it is not possible, because it is a part of Public Suffixes, as mentioned, and for security reasons, you can't do this.

From another side, it makes no sense, because this public address: "ec2-27-123-206-78.compute-1.amazonaws.com/context/login" is dynamic, and it is not fixed for you. It is DNS proxy, which currently reserved for you. If you want to set cookies from EC2 instance, you should set domain names of your own hostnames, which are in front of EC2 instances.

request.getServerName()

This gives you current server name of EC2. But, for example, if you proxy requests with nginx, you should get 'Host' header (1, 2).

Answer 3

If the response header contains set-cookie, cookie must have been created. Try removing set-domain, let it default. Also try setting max age.