16

I have application on my localhost in https. But the certification on localhost is broken.

Below, response header. Problem: MyCookie is not created:

MyCookie=MyValue;Path=/;Domain=localhost;Secure; HttpOnly

But for this header. The cookie is created:

MyCookie=MyValue;Path=/;Secure; HttpOnly

Is there any Chrome politics which disallow create cookie for broken https page which set domain in the header?

lukastymo
  • 26,145
  • 14
  • 53
  • 66
  • Possible duplicate of [Chrome localhost cookie not being set](https://stackoverflow.com/questions/7346919/chrome-localhost-cookie-not-being-set) – Vadzim Apr 16 '18 at 20:15

4 Answers4

40

Explicit setting domain cookie on localhost doesn't work for chrome.

From this:

You can only set domain cookies for registry controlled domains, i.e. something ending in .com or so, but not IPs or intranet hostnames like localhost

lukastymo
  • 26,145
  • 14
  • 53
  • 66
  • 1
    You are right about chrome not allowing servers to set domain cookies for intranet hostnames like localhost but I was able to set domain cookies using my local IP address (eg: 192.168.15.81) – burnt1ce Nov 19 '13 at 20:06
  • 1
    I was able to set cookies using loopback ip (127.0.0.1). – naXa stands with Ukraine Nov 26 '14 at 13:00
  • IPs including 127.0.0.1 work, but localhost ridiculously won't. – kaefert Jan 07 '15 at 11:48
  • 29
    Gosh, what kind of deranged person have thought this is a good idea? I've spent two hours on this ridiculous Chrome bug. – polkovnikov.ph Jan 20 '16 at 00:25
  • So, Chrome is unusable in intranets. I confirm I've spent days investigating why certain login schemes don't work, ending at this same reason. – dimplex Jun 21 '17 at 08:43
  • This is not the first time I've been here.... Chrome should really put something on the console about refusing to set the cookie because _blah_. – Cory Mawhorter Jan 17 '18 at 22:04
  • 1
    It seems like a strange bug. `localhost` used to work for me, then I used `dev.localhost`, then it stopped working, then `dev.local`, and it stopped working too. `127.0.0.1` currently works. Or maybe it is a rogue extension because it works in Incognito mode. – vaughan May 15 '18 at 14:05
  • I assume security concerns. You don't keep an IP sometimes; you only own the domain name. If you change IPs, then what happens if someone starts using that IP address? There is an attack vector (though _normally_ this wouldn't happen) where your sensitive cookies you set are given to someone else. Same concept with localhost. Another person can (maybe through social engineering) get someone to run something on their localhost. They would then have access to every single 'localhost' cookie -- which you might have thought was safe from others seeing. That's my guess at least – Alexander Bird May 02 '19 at 15:47
  • I turned my localhost into https://127.0.0.1:8887/#/login using webserver from chrome. Still it is not working for me. Please help – jay rangras Jun 02 '21 at 09:10
15

Try to set 

cookie_domain = ""

By this the cookie can be created and will work.

I've tried it and it was working fine.

p.s.w.g
  • 146,324
  • 30
  • 291
  • 331
Richa
  • 155
  • 1
  • 7
14

I guess the easiest workaround for this is to add an entry to the hosts file, like

127.0.0.1    localhost.com

and then calling http://localhost.com/ instead of just localhost.

but having said that, this restriction is ridiculous IMO.

isapir
  • 21,295
  • 13
  • 115
  • 116
1

I use Chrome Version 51.0.2704.103 and it is not a problem to set "localhost" as a domain. It was a problem ".localhost" to set and save a cookie.

ognjenkl
  • 1,407
  • 15
  • 11