Why isn't my browser storing ASP MVC CORE 2 cookies?

Question

I have an Angular(4) client (localhost:4200) which calls across to an ASP MVC CORE 2 WebApi. One of the calls http://localhost:5000/api/session/resume returns a cookie along with the response.

In the action method I have returned 3 cookies for testing purposes.

    [AllowAnonymous, HttpPost, Route("api/session/resume")]
    public async Task<AccountSignInResponse> Resume([FromBody]SessionResumeCommand command)
    {
        AccountSignInResponse apiResponse = await Mediator.Send(command);
        if (!apiResponse.HasErrors) {
        Response.Cookies.Append("TestCookie", ..., new CookieOptions
        {
            Domain = "localhost",
            Expires = DateTimeOffset.Now.AddDays(100),
            HttpOnly = false
        });
        Response.Cookies.Append("TestCookie4200", ..., new CookieOptions
        {
            Domain = "localhost:4200",
            Expires = DateTimeOffset.Now.AddDays(100),
            HttpOnly = false
        });
        Response.Cookies.Append("TestCookie5000", ..., new CookieOptions
        {
            Domain = "localhost:5000",
            Expires = DateTimeOffset.Now.AddDays(100),
            HttpOnly = false
        });            }
        return apiResponse;
    }

The header for this request is

Request URL:http://localhost:5000/api/session/resume
Request Method:POST
Status Code:200 OK
Remote Address:[::1]:5000
Referrer Policy:no-referrer-when-downgrade

And the response headers are

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Vary: Origin
Server: Kestrel
Set-Cookie: TestCookie=XXVtPqCdZ%2BBt9IbhP5Bi7sOLZ%2F%2BELB4fZ0rFArkM%2Be4%3D; expires=Fri, 03 Nov 2017 09:47:28 GMT; domain=localhost; path=/
Set-Cookie: TestCookie4200=XXVtPqCdZ%2BBt9IbhP5Bi7sOLZ%2F%2BELB4fZ0rFArkM%2Be4%3D; expires=Fri, 03 Nov 2017 09:47:28 GMT; domain=localhost:4200; path=/
Set-Cookie: TestCookie5000=XXVtPqCdZ%2BBt9IbhP5Bi7sOLZ%2F%2BELB4fZ0rFArkM%2Be4%3D; expires=Fri, 03 Nov 2017 09:47:28 GMT; domain=localhost:5000; path=/
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:4200
X-SourceFiles: =?UTF-8?B?QzpcZGV2XFhlcnhlc1xYZXJ4ZXMtU2VydmVyXFNlcnZlclxhcGlcc2Vzc2lvblxyZXN1bWU=?=
X-Powered-By: ASP.NET
Date: Wed, 26 Jul 2017 09:47:28 GMT

As you can see, the cookies are being returned from the http://localhost:5000/api/session/resume call, but they are not being stored in my local cookies in either Chrome, Edge, or Firefox. So when further requests are made for images and other resources I am only seeing another cookie (cookieLawSeen), and not this cooked.

When I browse the cookies for localhost in all of these browsers I don't see any SessionTokens in the storage. However, if I look at the request in the F12 developer tools I can click the [Cookies] tab and see ResponseCookies contains all three cookies.

Answer 1

You need to use withCredentials property. It is needed for both sending and receiving cookies:

indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates.

Set it to true each time when you do api call from Angular. Something like the following:

this.http.get('http://...', { withCredentials: true })

Answer 2

I had the same problem and i found out that in .net core 2 the default of session cookie was changed from "Send for: Any kind of connection" to send only to same origin. In my case the server was at a different domain from local host and there for the cookie was not sent to the server.

In order to allow it you need to change the property of the session cookie called SameSite to SameSiteMode.None.

In addition to the above I haven't been able to access a localhost server from the local postman (even-though they have the same origin). the above solved it as well.