Cookies don't show up in developer console of Safari/Chrome with Set-Cookie Header, but exist when looking at server logs

Question

I am storing cookies for my web app using the 'Set-Cookie' header response from my python backend.

Here is my ajax call on the client-end to the function:

In developer tools in Chrome and Safari, when I look for the cookies, the cookies don't show up.

On Chrome, the Set-Cookie doesn't even show up in the response header to the network call. In Safari, the Set-Cookie response header shows up and shows under request/response cookies, but when I check cookies for the application, nothing shows up.

Furthermore, the cookie data shown in Safari is incorrect: it shows an incorrect expiration date and httpOnly/secure which should both be true.

The cookies seem to not exist, but when I log the server, I see clearly that the cookies exist and they appear (also safari shows them going back and forth in the request/response headers)which means that the cookies are being properly stored and sent back to the server after every call in the header. I tried earlier to set httpOnly to false and secure to false, but even then the cookies exhibited the same behavior.

These cookies are still under the radar of both developer tools. How can I see the cookies on the browser in developer tools correctly? And what could this problem be?

I see this in Safari right now. The cookie is definitely set (because the server sees it), and it survives restarting Safari. But I can't see it in the console... this is a problem, because I want to delete it! — Doctor Eval, Apr 02 '20 at 10:09
See this answer https://stackoverflow.com/a/55414345/1558222 . you should enable them — endamaco, Jul 02 '20 at 12:54

score 1 · Accepted Answer · edited Mar 18 '21 at 11:52

1

Have you tried opening a tab to the server https://*.amazonaws.com and checking there instead?

The cookie will be set on the server's domain, but you won't see it in your local server's cookie storage. The reason is that all web storages are bound by same origin policy and your document can only access storages from its own domain, and the server can only set cookies for it's domain.

The rationale here is that if I sent you a link to a rogue document, it can't exfiltrate your SO cookies even if they were accessible from JS, neither sending a request to a rogue server can overwrite cookies on SO.

edited Mar 18 '21 at 11:52

Dharman

30,962
25
85
135

answered Mar 18 '21 at 11:46

Filip Dupanović

32,650
13
84
114

This is correct. If you want to use this method of Secure HTTPOnly cookies, your API must be hosted by the same server's domain. In my case, I fixed this by hosting my api at api.domainname.com – Jonathan Wong Aug 09 '21 at 21:53

Or Assayag · Answer 2 · 2021-04-07T06:43:03.120

0

Try to disable chrome://flags/#network-service and it should work properly.

edited Apr 07 '21 at 06:43

answered Dec 30 '20 at 17:57

Or Assayag

5,662
13
57
93

Cookies don't show up in developer console of Safari/Chrome with Set-Cookie Header, but exist when looking at server logs

2 Answers2