Angular 10: set-cookie response headers being ignored?

Question

I'm trying to use a session auth cookie after login, but the cookie isn't being saved.

For testing, I created a simple "CookieTest" method on my Dotnet Core server:

[Route("CookieTest")]
public ActionResult CookieTest()
{
  var options = new CookieOptions()
  {
    SameSite = SameSiteMode.None,
    Secure = true
  };
  Response.Cookies.Append("NoPermsCookie", "cookie set");
  Response.Cookies.Append("SameSiteSecure", "cookie set", options);
  return new OkResult();
}

If I hit the GET request from a plain browser window (using Chrome), I see the set-cookie headers, and the cookies are shown in the "Application" dev tools page.

If I run a simple test from my Angular app:

this.authService.getCookieTest().subscribe(() => console.log('Got response, check cookies!'));

public getCookieTest() {
  return this.http.get(`${this.urlBase}/api/auth/cookietest`);
}

I get the log message that the request succeeded; I see the set-cookie headers in the response; but the cookie values aren't actually set.

Here are the request headers from dev tools:

I'm sure I'm doing something wrong (CORS configuration? Missing header in the request?), but I have no idea what. I'm sure I had this working in previous versions of Angular, but haven't tried this in a long time.

Any suggestions?

Answer 1

It never fails, shortly after you ask the question you get the answer...

Looking at an article about using an HttpInterceptor to force withCredentials, I realized in my testing I was setting this as a header, rather than as an option to the HttpClient get/post requests.

Correctly using withCredentials, and everything works.

[Facepalm]