Chrome localhost cookie not being set

Question

I have an ASP.net application that uses a cookie to store the user selected language. Everything works fine except when I'm on localhost. Replacing localhost by 127.0.0.1 makes it work again... why?

I saw intended restrictions to file:// but I can't actually find any reference to intended restriction to localhost.

What I can't really understand is why the ASP.net Session (ASP.NET_SessionId) and ASP.net Forms Authentication Cookies (.FSAUTHSSO) are correctly set for the localhost domain but my cookies aren't... why?!

I already googled a lot and nothing works:

Setting the Chrome command line flag --enable-file-cookies [DOES NOT WORK]
Setting the cookie to HttpOnly [DOESN'T MATTER]
Changing Expiration to Session or to a Date... [DOESN'T MATTER]
Changing the Cookie Path to Root (/) or to anything else [DOESN'T MATTER]

So what does matter? :)

And why can the ASP.net cookies be set and mine don't? What's the difference?

Last thing just to mention that this also happens on IE but works fine on FF.

Thanks!

Alex

What are the cookie settings in `Options->Under the Hood->Privacy->Content settings`? Or do you have any Exceptions there that are being applied to localhost? — Jon Adams, Sep 10 '11 at 01:19
I haven't touched Google Chrome settings. The one you're asking is set to: Cookies: Allow local data to be set (recommended). I also have no exceptions set... didn't touch any of the default settings... — AlexCode, Sep 10 '11 at 15:48
4 years later, the year is 2015 and this still [is a problem](http://stackoverflow.com/questions/28583729/chrome-doesnt-set-cookie-from-response). — Gaui, Feb 18 '15 at 20:03
Since localhost servers often run under a different port I should mention that you might try setting the url of the cookie using a hostname without an explicit port. Eg. instead of `cookie.url = '127.0.0.1:3001';`, you could try `cookie.url = '127.0.0.1';`. Doing this worked for me. See here for more info: http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific — eremzeit, Apr 29 '15 at 09:03

score 47 · Answer 1 · edited May 23 '17 at 11:52

47

Cookies are designed for second level and down. First level domains will not work. Instead you should use the address http://127.0.0.1 (as you mentioned) or you could edit your hosts file to map a different URL with a TLD to the address 127.0.0.1 such as:

yoursite.tld   127.0.0.1

Just researched this further; found this answer: Cookies on localhost with explicit domain

edited May 23 '17 at 11:52

Community

1
1

answered Sep 10 '11 at 01:42

chrisburke.io

1,497
2
17
26

5

Yeah, this is the kind of "solution" I've found all over, but still doesn't explain why other cookies work, like the ASP.net ones that I mention. – AlexCode Sep 10 '11 at 15:44
2

The ASP.NET ones are "session" cookies. Chrome stores "session" cookies for localhost, but not "permanent" cookies. To set a "session" cookie, simply DON'T set an expiration date on the cookie (or explicitly set it to DateTime.MinValue). Session cookies are actually supposed to be deleted every time the browser closes, but Chrome/Firefox have feature like "continue where I left off" or "open my tabs from last time" that actually cause the browser to hang onto "session" cookies indefinitely instead of deleting them. Security hole, lol. – Triynko Nov 04 '16 at 13:18
Oh my god, I spent hours to debug my application, and all I have to do is to change my localhost into 127.0.0.1 ! – Rich Mar 14 '22 at 16:42

score 24 · Answer 2 · edited Jun 07 '16 at 18:51

24

please try to put cookie.Domain = null on localhost and use the domain name otherwise.

edited Jun 07 '16 at 18:51

isherwood

58,414
16
114
157

answered Sep 05 '12 at 16:48

Ehab

249
2
2

This did the trick for me running on localhost. I was struggling with other parameters but your tip works. Thanks! – elvin Jul 22 '14 at 20:59
1

Still doesn't work. Cookie shows up under network but doesn't propagate to Application/Cookies in Chrome F12. – Jens Mander Jul 08 '21 at 20:07
any luck with these, guys? – warmachine Nov 21 '22 at 16:10

Alex from Jitbit · Answer 3 · 2021-03-04T21:00:24.880

23

This was driving me nuts for hours! Then I realized:

I recently used HTTPS://localhost and set a cookie with the same name.
That was the reason HTTP://localhost was unable to set the cookie
So I went to https, cleared the cookies in the "application" tab in devtools and it started working with http again

edited Mar 04 '21 at 21:00

answered Sep 09 '19 at 22:35

Alex from Jitbit

53,710
19
160
149

3

After removing "Secure" flag on my Set-Cookie header, I ran into this issue for google Chrome : you save me a lots of hours, thanks! – boly38 Sep 20 '19 at 10:44

score 9 · Answer 4 · edited Apr 02 '20 at 18:46

9

I fixed my problem by going to chrome://flags/ then search for cookies. Set the following 3 flags to disabled...

SameSite by default cookies
Enable removing SameSite=None cookies
Cookies without SameSite must be secure

edited Apr 02 '20 at 18:46

Simon.S.A.

6,240
7
22
41

answered Apr 01 '20 at 18:28

Vishwajeet

99
1
1

Isn't there a security issue with this approach? – chess_madridista Mar 03 '23 at 12:04

score 7 · Answer 5 · answered Aug 14 '12 at 17:42

7

I just had the same issue in Chrome. I had cookie.Secure = true. Getting rid of that for localhost fixed the issue for me.

(Had the exact same issue, FWIW: worked in FF, not IE or Chrome)

answered Aug 14 '12 at 17:42

CleverPatrick

9,261
5
63
86

score 7 · Answer 6 · answered Nov 12 '15 at 06:10

7

Good news. Setting cookies on localhost is now possible on Chrome starting Canary build: https://code.google.com/p/chromium/issues/detail?id=551906

answered Nov 12 '15 at 06:10

agektmr

2,144
15
14

score 4 · Answer 7 · answered Sep 28 '16 at 21:18

I know this might be silly but it just happened to me where I took over an asp.net mvc application where I could not get them to work locally. Finally, another developer pointed to an entry in the web.config that had been added recently.

<httpCookies httpOnlyCookies="true" requireSSL="true" />

Setting the requireSSL to "false" locally. Remember to apply the transformations through the environments. I hope this helps.

score 2 · Answer 8 · answered Jul 14 '15 at 20:56

2

There is an issue on Chromium open since 2011, that if you are explicitly setting the domain as 'localhost', you should set it as false to it work or use set the domain as 127.0.0.1.

answered Jul 14 '15 at 20:56

Bruno Peres

2,980
1
21
19

score 2 · Answer 9 · answered Apr 02 '16 at 04:26

I had an issue on chrome where a cookie with an expiration of 2 weeks in the future was not being set - this happened to be the auth cookie (.AspNet.ApplicationCookie) so I was continually being redirected back to the login page. This issue did not occur in other browsers I tried.

I ended up experimenting with custom cookies to determine that chrome thought the current date was earlier than it actually was - so for example I put in a cookie that expired in 1 year today (2-Apr-2017) and actually chrome set this cookie to expire 1-Jan-2017! This would then explain why a cookie with a 2 week expiry was already considered expired as chrome was lopping off 3 mths of the actual expiry and thus considered it already expired.

Chrome reboot didnt fix this - I rebooted the PC at this stage and this 'fixed' the bug. Also I should note this only occurred for localhost - seemingly every other site was ok.

Thanks i debugged this for 2h trying to shrink the cookie size and some other things but restarting the computer solved the issue! — Peter, Nov 15 '16 at 10:39

score 2 · Answer 10 · edited Sep 30 '18 at 01:55

For my situation, I was running an asp.net core razor pages app using iisexpress (localhost:####) and I ran into this issue with Chrome. My fix was to make sure the iisSettings in the Properties\launchSettings.json has number other than 0 for sslPort (44344). With the sslPort set to 0, iisexpress will not run will ssl. Changing it 44344 then runs the app using ssl in iisexpress. Alternative, going the project properties in Visual Studio and the Debug tab to Enable SSL will do this same change to launchsettings.json For example

"iisSettings": {
  "windowsAuthentication": false,
  "anonymousAuthentication": true,
  "iisExpress": {
    "applicationUrl": "http://localhost:29025/",
    "sslPort": 44344
  }
},

score 2 · Answer 11 · edited Nov 16 '20 at 15:43

2

To Run this in your local machine with Chrome browser >=79 please follow below steps. I fixed my problem by going to chrome://flags/ then search for cookies. Set the following 3 flags to disabled...

SameSite by default cookies Enable removing SameSite=None cookies Cookies without SameSite must be secure

edited Nov 16 '20 at 15:43

Lawhatre

1,302
2
10
28

answered Nov 16 '20 at 09:47

Rahul Gupta

39
1

score 1 · Answer 12 · answered Feb 20 '23 at 11:23

1

Stuck on this problem for hours and the problem was that the cookie had the wrong path. So everyone check what path the cookie is set on!

answered Feb 20 '23 at 11:23

Isak

548
2
5
20

score 0 · Answer 13 · edited May 23 '21 at 09:24

0

Go to - chrome://flags Just disable this 3 option. Must it works.

See on this image

edited May 23 '21 at 09:24

StupidWolf

45,075
17
40
72

answered May 23 '21 at 06:25

Mohaimen Khalid

85
5

1

I don't find anything under "SameSite", has this changed in some ways? My Chrome version is 99.0.4844.82 on Linux Mint. – andylib93 Mar 20 '22 at 20:16

Chrome localhost cookie not being set

13 Answers13

Linked