set-cookie header not working

Question

I'm developing a small site w/ Go and I'm trying to set a cookie from my server.

I'm running the server on localhost, with 127.0.0.1 aliased to subdomain-dev.domain.com on port 5080.

My When I receive the response for my POST to subdomain-dev.domain.com:5080/login I can see the set-cookie header. The response looks like this:

HTTP/1.1 307 Temporary Redirect
Location: /
Set-Cookie: myappcookie=encryptedvalue==; Path=/; Expires=Fri, 13 Sep 2013 21:12:12 UTC; Max-Age=900; HttpOnly; Secure
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Date: Fri, 13 Sep 2013 20:57:12 GMT

Why isn't Chrome or Firefox recording this? In Chrome it doesn't show up in the Resources tab. In FF I can't see it either. And in neither do I see it in future Request headers.

BTW, why don’t you use `SetCookie` in `net/http` and write it on your own? — Mostafa, Sep 15 '13 at 03:27
I am using `SetCookie` (or rather, gorilla/sessions is). It wasn't an issue w/ how to set it, it was an issue of why chrome was igonring it. ;) Thanks for the input! — Chris Pfohl, Sep 15 '13 at 17:03
Besides the other great comments of things to investigate, I recently found that if you are using `fetch` to send the request, chrome < 68 had default behavior to drop all cookies. https://stackoverflow.com/questions/65981488/cookie-in-chrome-68-not-accepted — 1110101001, Apr 16 '23 at 20:10

Chris Pfohl · Accepted Answer · 2016-07-20T14:03:01.580

71

See that Secure string in the cookie?

Yeah, me too. But only after a few hours.

Make sure you're accessing your site by SSL (https:// at the beginning of the URL) if you've got the Secure flag set.

If you're developing locally and don't have a cert, make sure you skip that option.

edited Jul 20 '16 at 14:03

answered Sep 13 '13 at 21:41

Chris Pfohl

18,220
9
68
111

1

This is not the answer, you should not be able to see the cookie httpOnly from chrome or firefox .. – julio Apr 29 '20 at 17:24
4

@julestruong It was definitely the answer...since I answered my own question. I wasn't trying to access from Javascript; just trying to set the cookie. This was years ago, but it was just a session cookie. – Chris Pfohl May 01 '20 at 12:43

score 22 · Answer 2 · answered Jul 23 '20 at 13:13

22

In my case, I had to add this to my response:

access-control-expose-headers: Set-Cookie

I found here that my Set-Cookie header was not accessible to my client unless I added it to the exposed-header header. Hope this can help someone!

answered Jul 23 '20 at 13:13

jimkick3

310
4
9

1

For me still is not setting the cookie with set-cookie response header. I have found it is forbidden response header: https://fetch.spec.whatwg.org/#forbidden-response-header-name – Piotr Śródka Jun 02 '21 at 07:07
1

But mine is http cookie, will I be able to fetch that cookie as well? – jay rangras Jun 15 '21 at 12:07
this works, thanks – AzizStark Aug 12 '23 at 19:28
this is only relevant to cors requests – omriman12 Aug 16 '23 at 08:51

serhii kuzmych · Answer 3 · 2022-07-08T08:58:10.090

Found related github issue response cookies not being sent that helped.
In my case I am running react app under https (with mkcert tool) and making cross origin fetch request and get response. Cookies of the response is not set until I

specify credentials: 'include' for fetch request example fetch api

fetch('https://example.com', {
  credentials: 'include'
});

Specify these response headers from server

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:3000

Access-Control-Allow-Origin header has value of the url of my react app.

add these attributes of Set-Cookie Header Path=/; HttpOnly; Secure; SameSite=None using http cookies

Hope it helps someone!

score 1 · Answer 4 · answered Mar 13 '23 at 17:25

1

For others who have encountered this issue, the set of things I needed to do in order to get my cookie (I happen to be using fastapi-users on the backend and js fetch api on the frontend):

change my cors configuration so that the set of headers was not "*" but fully specified (I pulled from the standard request fields)
add cookie_samesite="none" to my cookie transport in my backend configuration
add credentials: 'include' to my request in the fetch api

answered Mar 13 '23 at 17:25

aslade

11
2

It appears you can also do this in Starlette exposed set_cookie if you prefer this over using CookieTransport... https://www.starlette.io/responses/#set-cookie – paxton91michael Mar 23 '23 at 17:37

score 0 · Answer 5 · answered May 09 '23 at 11:45

flask, flask_jwt_extended

My issue was, that I had a function (@Blueprint.after_app_request - that was run right before the response was sent back to client) that set a header on the response to refresh the cookie.

So my logout function added the header to expire the cookie, and the refreshing function refreshed my cookie.

So the response had following headers:

Expire the cookie.
Refresh the cookie.

Maybe this will help somone one day.

set-cookie header not working

5 Answers5

Linked