7

My Laravel session cookie doesn't get set in a browser even though the server response contains the right Set-Cookie header. The Laravel server is running at localhost:8000, and the client application is a NuxtJS SPA running at localhost:7000.

The response header containing Set-Cookie is as follows:

HTTP/1.1 200 OK
Host: localhost:8000
Date: Sun, 06 Sep 2020 00:50:31 GMT
Connection: close
X-Powered-By: PHP/7.4.10
Cache-Control: no-cache, private
Date: Sun, 06 Sep 2020 00:50:31 GMT
Content-Type: application/json
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, PATCH, DELETE
Access-Control-Allow-Headers: Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Authorization, Access-Control-Request-Headers, Set-Cookie
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
Set-Cookie: dv_session=ifhSq8WFD2Upltr5v2bzNBgaA5xx3KiDVuMWuBge; expires=Sun, 06-Sep-2020 02:50:31 GMT; Max-Age=7200; path=/

Making the same request through postman, the cookie is saved:

enter image description here

So, it seems like the browser is ignoring the 'Set-Cookie' header.

My session.php file is as follows:

<?php

return [
    'driver' => env('SESSION_DRIVER', 'redis'),
    'lifetime' => env('SESSION_LIFETIME', 120),
    'expire_on_close' => false,
    'encrypt' => false,
    'files' => storage_path('framework/sessions'),
    'connection' => env('SESSION_CONNECTION', null),
    'table' => 'sessions',
    'store' => env('SESSION_STORE', null),
    'lottery' => [2, 100],
    'cookie' => 'dv_session',
    'path' => '/',
    'domain' => "",
    'secure' => false,
    'http_only' => false,
];

Why is the cookie getting saved in Postman, but being ignored by browsers?

ChristianF
  • 1,735
  • 4
  • 28
  • 56
  • When you say it's not set you've checked your cookie storage and it's not in there at all? – apokryfos Sep 06 '20 at 04:22
  • Correct. I can see in the response header of the API call that the “set-cookie” is there with the correct value, but checking the cookie storage, it’s not there. I’ve tried using Chrome and Firefox. – ChristianF Sep 06 '20 at 04:32
  • Also, Chrome doesn’t say that the cookie was blocked for any reason - just fails silently – ChristianF Sep 06 '20 at 04:37
  • Click on the icon left of the address bar (the thing that says "not secure" or has a padlock icon) and from there click cookies. Make sure your cookies are not in the "blocked" part. Also you could check your browser settings to make sure you enable "third-party cookies" – apokryfos Sep 06 '20 at 04:59

4 Answers4

4

Your problem runs in chrome and safari. Firefox will work with you. The problem is that chrome is not allowing cookies from http domains, which is your localhost. It's one of their latest releases.

You should be fine in production since you are going to have an https certificate there. But for development you can use firefox.

Another work-around is in the session.php to set the 'secure' field to false.

'secure' => env('SESSION_SECURE_COOKIE', false)

This used to do the trick at first but i personally decided to move to firefox cause that trick stopped working and had to "hack my way" around this issue so it was easier to just change browser for development.

pr1nc3
  • 8,108
  • 3
  • 23
  • 36
  • I stopped using Chrome all together. Security ok. But it won't even allow you to use non-existing TLDs like .test or .dev. The ones we often use in a development environment. I switched to Pale Moon for dev, a Mozilla offspring. For vueJs dev, FF is still the prefered browser. – Dimitri Mostrey Sep 06 '20 at 05:48
  • will hello firefox – Juliver Galleto Dec 29 '21 at 03:58
  • +1 for suggesting to use Firefox. I had a similar issue, but in my case I had to set `'same_site' => 'none'` in the `session.php` file, which usually only works with the `secure` attribute, *except in Firefox*. However, it says these cookies will soon be rejected, so I'm not sure how to work around this in the future. – AdHorger Jun 07 '22 at 17:37
1

I had similar problem with REST api. With postman I was able to see cookie with httpOnly flag, but in browser nothing.

My solution was to correctly set withCredentials option for request. Here is link for more detailed discussion: Set-Cookie on Browser with Ajax Request via CORS

And change in laravel variable supports_credentials to true in file config/cors.php

scorpion
  • 671
  • 1
  • 9
  • 16
1

In my case, I had the domain set incorrectly in config/session.php

'domain' => env('SESSION_DOMAIN', env('APP_URL')),

Daniel Katz
  • 2,271
  • 3
  • 25
  • 27
0

I had this problem, too. In my case it was because of the debbuging echo statment in index.php file. The thing is that echo should go after all nessesery headers have been set, otherwise PHP cannot set them.

Striezel
  • 3,693
  • 7
  • 23
  • 37
Alex
  • 47
  • 4