Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does Chrome ignore Set-Cookie header?

Chrome has a long history of ignoring Set-Cookie header. Some of these reasons have been termed bugs and fixed, others are persistent. None of them are easy to find in documentation.

  • Set-Cookie not allowed in 302 redirects
  • Set-Cookie not allowed if host is localhost
  • Set-Cookie not allowed if Expires is out of acceptable range

I am currently struggling with getting chrome to accept a simple session cookie. Firefox and Safari seem to accept most any RFC compliant string for Set-Cookie. Chrome stubbornly refuses to acknowledge that a Set-Cookie directive was even sent on the request (does not show up in Developer Tools (Network)). curl looks fine.

So does anyone have either 1) modern best practices for cross-browser Set-Cookie formatting or 2) more information regarding what can cause Chrome to bork here?

Thanks.

like image 933
Andrew Johnson Avatar asked Mar 02 '18 08:03

Andrew Johnson


People also ask

Why is cookie not being set?

Check out the OPTIONS response header ACCESS-CONTROL-ALLOW-CREDENTIAL whether it is set to true . If the server doesn't allow credentials being sent along, the browser will just not attach cookies and authorization headers. So this could be another reason why the cookies are missing in the POST cross-site request.

What is the difference between set-cookie and cookie header?

The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.

What do I do with cookie set header?

The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.

How do I view cookie headers in Chrome?

In the developer tab related to the cookie, you can view only the cookie related to the response. In order to understand which headers was sent during the request, you have to move under the network tab and then you can click over your request. Here you can now see the headers related to your request. Save this answer.


1 Answers

One thing that has bitten me and is not on your list: if you are trying to set a secure cookie through HTTP on localhost, Chrome will reject it because you are not using HTTPS.

This kind of makes sense, but is annoying for local development. (Firefox apparently makes an exception for this case and allow to set secure cookies over HTTP on localhost).

like image 175
LMB Avatar answered Sep 28 '22 07:09

LMB