19

Chrome has a long history of ignoring Set-Cookie header. Some of these reasons have been termed bugs and fixed, others are persistent. None of them are easy to find in documentation.

  • Set-Cookie not allowed in 302 redirects
  • Set-Cookie not allowed if host is localhost
  • Set-Cookie not allowed if Expires is out of acceptable range

I am currently struggling with getting chrome to accept a simple session cookie. Firefox and Safari seem to accept most any RFC compliant string for Set-Cookie. Chrome stubbornly refuses to acknowledge that a Set-Cookie directive was even sent on the request (does not show up in Developer Tools (Network)). curl looks fine.

So does anyone have either 1) modern best practices for cross-browser Set-Cookie formatting or 2) more information regarding what can cause Chrome to bork here?

Thanks.

Andrew Johnson
  • 3,078
  • 1
  • 18
  • 24
  • 1
    Generally Set-Cookie works for regular cases in Chrome. If it didn't most, of the web breaks. As such it means that you either 1) Use it in a unusual way, or 2) there's a bug in your code. In each case you'll have to actually share your code for others to figure out what *might* be wrong. – Evert Mar 02 '18 at 08:25
  • I'm having the same problem. Chrome Version 71 accepts the cookie, Firefox and Edge accept the cookie, Postman and curl accept the cookie. But I cannot get Chrome Version 72 to accept the cookie. – Stack Underflow Feb 15 '19 at 19:41
  • 3
    Ran into this as well in chrome 72. It turned out that for some reason, our server was sending back a Date header that was an hour off, and the cookie expiration header was accurate. It seems like chrome was going off the incorrect date header and interpreted that the cookie was set to expire in the past and thus did not set it. – Eric Damtoft Mar 07 '19 at 18:34
  • 2
    Wow... I spent hours with an extraneous bug with cookies not updating. It turned out that Chrome ignores the set-cookie header for localhost. Thanks for this post ! – Agustin Garzon Apr 06 '20 at 15:30
  • @AgustinGarzon Thanks for this. Was seeing weird errors that chrome would override cookies that didnt exist, everything worked as soon as I switched away from localhost as the domain name. – Jono Aug 05 '20 at 07:38

1 Answers1

3

One thing that has bitten me and is not on your list: if you are trying to set a secure cookie through HTTP on localhost, Chrome will reject it because you are not using HTTPS.

This kind of makes sense, but is annoying for local development. (Firefox apparently makes an exception for this case and allow to set secure cookies over HTTP on localhost).

LMB
  • 69
  • 1
  • 6