Reputation: 11711
Browser does not send cookies when cookie is set on a 303 redirect
When I set a cookie in a 303 See Other response, the next request (with the redirected-to location) does not contain the specified cookie. https://www.rfc-editor.org/rfc/rfc7231#section-6.4.4 (on 303 response) does not seem to mention cookies specifically. I can reproduce the issue on both current Firefox and current Chrome. As you can see from the Host headers, all of these are made against the same origin.
Fails
POST /login HTTP/1.1
Host: localhost:22242
HTTP/1.1 200 OK
content-type: text/html
content-length: 694
set-cookie: Authenticating=RrPWNaWsbC013k9QE9zzjJ5C2-c6DKHUnwoKZnL3-knY1aMlxpoGKIm5Kgc
date: Wed, 22 Jul 2020 15:13:14 GMT
POST /mfa/check HTTP/1.1
Host: localhost:22242
Cookie: Authenticating=RrPWNaWsbC013k9QE9zzjJ5C2-c6DKHUnwoKZnL3-knY1aMlxpoGKIm5Kgc
HTTP/1.1 303 See Other
content-length: 0
location: /
set-cookie: Session=k4Bx657138TS2SWdD6KXSxfUy9lddN89HdDOn5_dDLFfvFJwTdEpTGZ_4pw
date: Wed, 22 Jul 2020 15:13:53 GMT
GET / HTTP/1.1
Host: localhost:22242
Cookie: Authenticating=RrPWNaWsbC013k9QE9zzjJ5C2-c6DKHUnwoKZnL3-knY1aMlxpoGKIm5Kgc
Why doesn't the latter request send the Session cookie?
Works
POST /login HTTP/1.1
Host: localhost:22242
HTTP/1.1 200 OK
content-type: text/html
content-length: 718
date: Wed, 22 Jul 2020 15:20:41 GMT
POST /mfa/check HTTP/1.1
Host: localhost:22242
HTTP/1.1 303 See Other
location: /
set-cookie: Session=0WGq8q3Z_chLgf6gUSUnPrivqa8jqvOQJRlDnY8XehQhN4QwIjk0FYwXajI
content-length: 0
date: Wed, 22 Jul 2020 15:21:41 GMT
GET / HTTP/1.1
Host: localhost:22242
Cookie: Session=0WGq8q3Z_chLgf6gUSUnPrivqa8jqvOQJRlDnY8XehQhN4QwIjk0FYwXajI
In this seemingly similar case, the cookie is set correctly after the 303 redirect.
Upvotes: 3
Views: 1925
Answers (1)
Reputation: 11711
This was a PEBKAC: I figured out that the problem here is the implicit default for the Path parameter in Set-Cookie headers. The Path parameter defaults to the current path, meaning the cookie will not be sent to parent paths.
Because I wasn't focused on the paths that much, it's possible I may have the example requests/responses wrong... I'm going to check what's up with that.
Upvotes: 2
Related Questions
- Response header Set-Cookie doesn't store cookies in browser
- Sending browser cookies during a 302 redirect
- Safari doesn't set Cookie but IE / FF does
- Browser doesn't send the cookie from domain with www after redirect
- ASP.NET Mvc Api: Set cookie then 302/303 Redirect loses the cookie
- Cookies are not sent on HTTP GET
- Cookies not sent after a 302 redirect to a page on the same domain
- HTTP Redirect (302) Doesn't Use Cookie in Following GET Request
- Why can't I set a cookie and redirect?
- Unable to read cookies in FireFox/Chrome via 302 redirect, but works in IE