Menu
I am running a Spring Boot server with a Post endpoint that sets a cookie. When making a request to the endpoint from my angular app I do not see the Set-Cookie header in the response headers in Chrome's dev console. Why is the Set-Cookie header not showing up?
The Set-Cookie response header does show up in the response headers when using curl, Set-Cookie is also present on Safari, and it shows up in the chrome net-export logs.
ng serve --host 0.0.0.0 --disable-host-check command at http://example.com:4200.http://example.com:8080
http://example.com:8080/accounts/v1/user/authenticate
Version 73.0.3683.103 (Official Build) (64-bit)
The Set-Cookie header is visible in the response headers in the Safari developer console.
Chrome Dev Console
Went to the devconsole -> network -> authenticate request. I viewed the request and response headers and Set-Cookie was not there.
Request headers
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: http://example.com:4200
Referer: http://example.com:4200/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Response headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://example.com:4200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Type: application/json;charset=UTF-8
Date: Wed, 17 Apr 2019 21:58:52 GMT
Expires: 0
Pragma: no-cache
Server: nginx/1.15.6
Transfer-Encoding: chunked
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Using Chrome chrome://net-export/
I saved the logs for the post request. Interestingly the Set-Cookie header does appear in these logs. Additionally the Cookie header does show up in the request as well (probably got saved from a previous attempt).
t=190196 [st= 0] +REQUEST_ALIVE [dt=125]
--> priority = "MEDIUM"
--> url = "http://example.com/accounts/v1/user/authenticate"
t=190196 [st= 0] NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=0]
t=190196 [st= 0] +URL_REQUEST_START_JOB [dt=124]
--> load_flags = 0 (NORMAL)
--> method = "POST"
--> privacy_mode = 0
--> upload_id = "0"
--> url = "http://example.com/accounts/v1/user/authenticate"
t=190197 [st= 1] NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=0]
t=190197 [st= 1] HTTP_CACHE_GET_BACKEND [dt=0]
t=190197 [st= 1] +HTTP_STREAM_REQUEST [dt=0]
t=190197 [st= 1] HTTP_STREAM_JOB_CONTROLLER_BOUND
--> source_dependency = 16598 (HTTP_STREAM_JOB_CONTROLLER)
t=190197 [st= 1] HTTP_STREAM_REQUEST_BOUND_TO_JOB
--> source_dependency = 16599 (HTTP_STREAM_JOB)
t=190197 [st= 1] -HTTP_STREAM_REQUEST
t=190197 [st= 1] UPLOAD_DATA_STREAM_INIT [dt=0]
--> is_chunked = false
--> net_error = 0 (?)
--> total_size = 43
t=190197 [st= 1] +HTTP_TRANSACTION_SEND_REQUEST [dt=0]
t=190197 [st= 1] HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> POST /accounts/v1/user/authenticate HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 43
Accept: application/json, text/plain, */*
Origin: http://example.com:4200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Content-Type: application/json
Referer: http://example.com:4200/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Authorization="xxxx"
t=190197 [st= 1] HTTP_TRANSACTION_SEND_REQUEST_BODY
--> did_merge = false
--> is_chunked = false
--> length = 43
t=190197 [st= 1] UPLOAD_DATA_STREAM_READ [dt=0]
--> current_position = 0
t=190197 [st= 1] UPLOAD_DATA_STREAM_READ [dt=0]
--> current_position = 43
t=190197 [st= 1] -HTTP_TRANSACTION_SEND_REQUEST
t=190197 [st= 1] +HTTP_TRANSACTION_READ_HEADERS [dt=122]
t=190197 [st= 1] HTTP_STREAM_PARSER_READ_HEADERS [dt=122]
t=190319 [st=123] HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Server: nginx/1.15.6
Date: Wed, 17 Apr 2019 21:27:35 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: Authorization="xxxx"; Version=1; Domain=.example.com; Max-Age=1031; Expires=Wed, 17-Apr-2019 21:44:46 GMT
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Access-Control-Allow-Origin: http://example.com:4200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
t=190319 [st=123] -HTTP_TRANSACTION_READ_HEADERS
t=190319 [st=123] NETWORK_DELEGATE_HEADERS_RECEIVED [dt=0]
t=190320 [st=124] -URL_REQUEST_START_JOB
t=190320 [st=124] URL_REQUEST_DELEGATE_RESPONSE_STARTED [dt=0]
t=190320 [st=124] HTTP_TRANSACTION_READ_BODY [dt=1]
t=190321 [st=125] URL_REQUEST_JOB_FILTERED_BYTES_READ
--> byte_count = 698
--> bytes = "xxxx"
t=190321 [st=125] HTTP_TRANSACTION_READ_BODY [dt=0]
t=190321 [st=125] -REQUEST_ALIVE
Using Chrome Options
Some posts suggested disabling this chrome option chrome://flags/#site-isolation-trial-opt-out. But this had no effect.
Added withCredentials: true option to my post request in angular. But that did not resolve the issue.
I tried to simulate a request from the UI using curl
curl -i -H 'Origin: http://example.com:4200' -H 'Accept: application/json, text/plain, */*' -H 'Content-Type: application/json' -H 'Referer: http://example.com:4200/' --request POST --data '{"primaryEmailAddress":"[email protected]"}' http://example.com:8080/accounts/v1/user/authenticate
The response headers to the request contained the set cookie header
HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: Authorization="Bearer xxxx"; Version=1; Domain=.example.com; Max-Age=545; Expires=Wed, 17-Apr-2019 22:00:46 GMT
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Date: Wed, 17 Apr 2019 21:51:41 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://example.com.com:4200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
Transfer-Encoding: chunked
Content-Type: application/json;charset=UTF-8
861
Check out the OPTIONS response header ACCESS-CONTROL-ALLOW-CREDENTIAL whether it is set to true . If the server doesn't allow credentials being sent along, the browser will just not attach cookies and authorization headers. So this could be another reason why the cookies are missing in the POST cross-site request.
To view the request or response HTTP headers in Google Chrome, take the following steps : In Chrome, visit a URL, right click , select Inspect to open the developer tools. Select Network tab. Reload the page, select any HTTP request on the left panel, and the HTTP headers will be displayed on the right panel.
I noticed this same behavior (using Chrome 75). I don't know why Chrome dev tools doesn't show the Set-Cookie response header under the Network tab. (It seems like it should.) However, you can verify that the cookie has been set if you look under the Application tab (see Application -> Storage -> Cookies). There, you can also edit and clear cookies.
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
