Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Browser not keeping cookie from response header

Tags:

browser

cookies

response

I am trying to do something supposedly simple and easy: set a cookie! But the browser (Chrome and Safari tested) is simply ignoring them. So the response headers look like:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:*
Connection:keep-alive
Content-Encoding:gzip
Content-Type:application/json; charset=utf-8
Date:Wed, 19 Jul 2017 04:51:51 GMT
Server:nginx
Set-Cookie:UserAuth=<some jwt>; Path=/; Domain=10.10.1.110; Expires=Wed, 19 Jul 2017 12:51:51 GMT; HttpOnly; Secure
Transfer-Encoding:chunked
Vary:Origin

The request does include withCredentials=true. But the cookies section in Chrome is empty. I've tried removing the domain altogether, removing the path, every configuration I can think of, but the browser just won't play ball.

What am I missing?

like image 213
see sharper Avatar asked Jul 19 '17 05:07

see sharper

People also ask

What header does the session pass to make the browser store a cookie?

Upon sign in, the server uses the Set-Cookie HTTP-header in the response to set a cookie with a unique “session identifier”. Next time when the request is sent to the same domain, the browser sends the cookie over the net using the Cookie HTTP-header.

How do I set a cookie path?

cookie = "username=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/"; This statement will delete a cookie named “username” if one exists. Some browsers will not allow the deletion of a cookie if the path is not specified. Therefore, it is important to always specify the path when working with cookies.

Is set-cookie a request header a response header or both?

The HTTP header Set-Cookie is a response header and used to send cookies from the server to the user agent.

2 Answers

Your cookie showing HttpOnly; Secure;

Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie

The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

Cookies will be interrupted if travel through HTTP with secure flag in TLS layer. So check your preference and set the configuration of cookies accordingly.

like image 168
Ankit Avatar answered Sep 24 '22 23:09

Ankit

So it turns out that the original request had 'withCredentials=true' as a request header rather than being set on the XMlHttpRequest config object.

like image 25
see sharper Avatar answered Sep 22 '22 23:09

see sharper
Sign in to Comment

Related questions

How to set a cookie for iframe on the same domain
Why are my cookie settings not being applied?
Java setting cookie on root path
Android CookieManager setCookie creates multiple cookies
Can I get the OWIN cookie and decrypt it to get claims from it in BeginRequest?
Why doesn't Vary: Cookie work in a service worker?
storing JWT token in cookie in MVC 5
Firebase Cookies not saving
bottle : how to set a cookie inside a python decorator?
HttpClient doesn't include cookies with requests in Blazor Webassembly app
How to set up Django app to make cookies work on subdomain
Is worrying about XSS,CSRF,sql injection, cookie stealing enough to cover web-security?
Server not Recognising Cookie From Android Phone
Double Set-Cookie in Magento, leading to a login issue for some users
Best options to comply in UK Cookie Law?
How to persist bearer token on client side
How to set 'secure' and 'httponly' cookie in Tornado?
Django does not delete cookie
How to get cookies from WKWebView?
Laravel Auth::logout not removing remember me cookie

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!