MS Edge dropping cookie

Question

We're experiencing a strange behaviour on MS Edge with at least versions 16/17. The same issue does not happen on IE 11/Chrome/Firefox.

Our users are authenticated via a session cookie. The cookie name is "app". Other cookies involve storing a the current display language with a cookie name of "prefLang". The cookies are HttpOnly, secure and set only for the actual subdomain in use.

In some cases, MS Edge simply drops the session cookie named "app" and is not part of the HTTP request any longer. The mentioned "prefLang" cookie is not dropped and is visible on the server.

The dropping occures is not easily reproducible but has been visible sometimes when:

• The user opens an externally linked page from the loggedin app context with target=_blank
• More than 12mins have been passed between page requests within the app context
• immediately within seconds of page requests
• the user opens an iframe with a page request from the same origin

Example with request/response debug information server side where the session cookie app=redactedABC is not transmitted to the server

2018-11-28 09:44:00 UTC POST hasIdentity: 1 UserId: <redacted>  Request: https://app.domain.com/page/action/full/add/0 / Cookie: _gid=redacted; _ga=redacted; app=redacted-ABC; prefLang=de

2018-11-28 09:44:00 UTC 200 hasIdentity: 0 UserId: 0  Response headers: Array
(
    [0] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
    [1] => Cache-Control: no-store, no-cache, must-revalidate
    [2] => Pragma: no-cache
)

2018-11-28 09:46:21 UTC POST hasIdentity: 0 UserId: 0  Request: https://app.domain.com/page/action/full/add/0 / Cookie: _gid=redacted; _ga=redacted; prefLang=de

2018-11-28 09:46:21 UTC 302 hasIdentity: 0 UserId: 0  Response headers: Array
(
    [0] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
    [1] => Cache-Control: no-store, no-cache, must-revalidate
    [2] => Pragma: no-cache
    [3] => Set-Cookie: app=redactedXYZ; path=/; domain=app.domain.com; secure; HttpOnly
)

2018-11-28 09:46:21 UTC GET hasIdentity: 0 UserId: 0  Request: https://app.domain.com/account/login / Cookie: _gid=redacted; _ga=redacted; prefLang=de; app=redactedXYZ

2018-11-28 09:46:21 UTC 200 hasIdentity: 0 UserId: 0  Response headers: Array
(
    [0] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
    [1] => Cache-Control: no-store, no-cache, must-revalidate
    [2] => Pragma: no-cache
)

Answer 1

I have so many questions and thoughts that it will be too long for a comment :

1. When you say it's ok in other browsers, is it based on some test cases or Edge is only one of the many browsers usually employed ?
2. Have you managed to check if the cookie is still been registered client side before/after the faulty request ? Have you check the request headers client side ? The question is about Edge forgetting the cookie itself, Edge forgetting to send the cookie, Edge sending a bad cookie. Have you also tried to tweak a bit the cookie name and content (remove domain for instance if feasible in your subdomain context) ?

3. What about server side ? Load balancers can be an explanation. Session storage could also be a clue (quite low chance though except if the "no returned session cookie" request is the consequence of a previous unlogged invalid cookie kicking). Of course, server side investigations have no sense if others browsers are running flawlessly in a significant number.

4. How are you running the client side app and performing requests ? Ajax or fetch requests alongside full document loading (your URI's are looking very APIsh) ? Have you noticed a link between request mode and issue ? Unavailability of the cookie data within app client parts can also be a guideline (a service worker that can't access cookies awakening on a request upon seldom met conditions for instance). Edge can also be faulty with cookie sent back with Ajax in local files (an awful app way but I've seen so much weird things).

With informations you've provided, very few of these points seems able to produce such an inconsistent behavior except if mixed in some bloody Edge-sensitive potion. Anyway, the answers may help to focus the issue and define a more reproductible context.

Aside this, I've found a 2-years old thread talking about a very, very, very, similar issue, still active and looking unsolved, for... IE11 (sorry). It's related to session cookie drops when accessed from different browser's processes (like tabs or iframe). I've found nothing about this issue for Edge and I believe that most of the engine have been rewritten, but perhaps you managed to find the haunted section (though you're saying that all is fine on IE11) ?

If you agree, you'd better edit your own question with related relevant points so I can delete this answer that is not a real answer.