See cookies in Chrome devtools set from an ajax XHR request

Question

I have a page on localhost:4000 that has a cookie set by the server. The page also contains a script that successfully makes an XHR request back to the server upon the page loading. This XHR request response sets a second cookie. I can only see the non-XHR cookie in Chrome devtools under Application (tab) > Storage (menu group on left) > Cookies > http://localhost:4000.

I can see the XHR cookie returned from the server in the Network tab (which if the page is loaded a second time shows both the non-XHR and XHR cookies are correctly included in the XHR request:

Request Cookies
xhr_cookie  valueABC
from_homepage   value123
Response Cookies
xhr_cookie  valueABC

So the XHR cookie is being persisted somewhere but I can't see it in Chrome's devtools.

Can you please look at https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials paragraph two ? — M at, May 02 '17 at 21:34
@MahdiRafatjah thanks for the link. `withCredentials` only refers to CORS (coincidentally it is also already set to true in the XHR request show above). Instead I'd like to know where I can see this XHR cookie value in Chrome dev tools. — AJP, May 02 '17 at 21:43

AJP · Answer 1 · 2017-05-03T09:29:40.757

2

Not the answer for Chrome but a work around is to use Firefox and enable the Storage "inspector" from the gear wheel on the web developer pane. https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector

edited May 03 '17 at 09:29

answered May 02 '17 at 21:55

AJP

26,547
23
88
127

I wish you could post your codes in here. cause i were testing it but no luck for cross-origin website. – M at May 03 '17 at 06:43
You just need to a server to set a cookie on a return, have the script send an xhr and then have the server set a different cookie on that endpoint / request. `withCredentials` only refers to CORS. – AJP May 03 '17 at 09:46

score 0 · Answer 2 · edited May 23 '17 at 11:47

Same Origin request were fine.

Cross origin request has some limitations.

File:1.php:

<?php
    setcookie("cookie_name_1", "cookie_value_1", time() + (86400 * 30), "/"); 
?>
<script>
    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'http://foo.ir/2.php', true);
    xhr.withCredentials = true;
    xhr.onreadystatechange = function() {
      if(this.readyState == xhr.DONE) {
       get_res();
      }
    }
    xhr.send(null);

    function get_res(){
        var xhr = new XMLHttpRequest();
        xhr.open('GET', 'http://foo.ir/2.php?is_set', true);
        xhr.withCredentials = true;
        xhr.onload = function () {
            if (xhr.readyState === xhr.DONE) {
                if (xhr.status === 200) {
                   console.log(xhr.responseText);
                }
            }
        };
        xhr.send(null);
    }
</script>

File:2.php

<?php
header('Access-Control-Allow-Origin: http://localhost');
header('Access-Control-Allow-Credentials: true');

if(isset($_GET["is_set"])){
    if(isset($_COOKIE["cookie_name_2"]))
        echo "cookies are set:".$_COOKIE["cookie_name_2"];
    else
        echo "cookies not set";
}else
    setcookie("cookie_name_2", "cookie_value_2", time() + (86400 * 30), "/");
?>

Cross-origin cookies are working:You need to allow third party cookies to be set in browser setting
I couldn't find where third party cookies are stored.
Chrome Won't show cookies and wont effect the real website.
Firefox & Edge save cookies in the third party website storage thus it will effect real third party website.

More information can be found on Here

According to the XMLHttpRequest Level 1 and XMLHttpRequest Level 2, this particular response headers falls under the "forbidden" response headers that you can obtain using getResponseHeader(), so the only reason why this could work is basically a "naughty" browser

"I couldn't find where third party cookies are stored." this is the question I'm trying to find the answer for in Chrome but thanks for the post. I will use Firefox for now. SameOrigin does not work fine with regard to the question being asked. CrossOrigin is not part of the question though is also interesting. For this you would need to set both the xhrHeader to `withCredentials true` as **`withCredentials` is CORS only**, and you'd also need to set the crossDomain option to true if using jquery. — AJP, May 03 '17 at 09:47

score 0 · Answer 3 · answered Apr 29 '22 at 00:27

0

This should show up as a seperate "Cookies" tab when you inspect the XHR request. It's easy to miss because the tab only shows when withCredentials is set to true.

answered Apr 29 '22 at 00:27

gamliela

3,447
1
35
41

score -1 · Answer 4 · answered Oct 16 '19 at 11:32

-1

In Chrome, disable "Site isolation":

Go to 'chrome://flags/#site-isolation-trial-opt-out
Set Disable site isolation to Disabled
Relaunch

For further details see: https://blog.ermer.de/2018/06/11/chrome-67-provisional-headers-are-shown

answered Oct 16 '19 at 11:32

Markus Pscheidt

6,853
5
55
76

See cookies in Chrome devtools set from an ajax XHR request

4 Answers4