Set-Cookie (from AJAX) header not setting cookie in browser

Question

I have a single page application that's using a web API. When a user logs in, I would want the server to set a cookie for further identification.

AJAX requests are obviously HTTP, only with a small identifying header. For as far as I know, the browser's agent should not differentiate between XMLHttpRequest and normal requests. Especially since I'm using a relatively old version of firefox.

App URL: http://sub.domain.com/app API Request: http://sub.domain.com/service/method

The domain and subdomain are exactly the same. There's no attempt to change other domains cookies.

As you can see the cookie is recognized by the browser's request parser. Even after digging all over SO and Google, I haven't found one logical explanation to why this isn't setting the cookie.

Tried a bunch of different Set-Cookie arguments combinations. I figured the most stable syntax is key=value; expires=date; domain=.domain.com and that's what I use in the example above.

P.S. I am using actual domain and subdomain, NOT localhost. Using a relatively old and stable version of Firefox.

@junkangli The code is all auth logic, I just added the Set-Cookie HTTP header to the response like so `key=value; expires=date; domain=.domain.com`... — fingeron, May 16 '18 at 07:51
@junkangli I use this Firefox Cookie Manager -> https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/ — fingeron, May 16 '18 at 08:38

Tarun Lalwani · Accepted Answer · 2018-06-04T10:55:18.950

4

I think you issue is quite well explained here

How does a browser handle cookie with no path and no domain

For Set-Cookie without path attribute, RFC6265 states that:

If the server omits the Path attribute, the user agent will use the "directory" of the request-uri's path component as the default value.

So from your server you need to set path=/ as well to make sure cookie is accessible to everyone

Edit-1

Also make sure that your webpage and API both run on the same protocol. Because if the cookie is marked secured then the same cannot be read by an http url

edited Jun 04 '18 at 10:55

answered May 29 '18 at 11:51

Tarun Lalwani

142,312
9
204
265

Sorry! After a lot of trial and error I realized that the problem was unfortunately something way stupider and am a little bit ashamed. The website I was using was running on HTTP while the API requests were in HTTPS. I can't believe it took me that long to realize. Nevertheless, the "Path" tip is definitely a good one. So, just for later reference, please add this to your answer as well. Thanks alot! – fingeron Jun 04 '18 at 09:18

score 2 · Answer 2 · answered Jun 04 '18 at 09:30

The problem can occur due to two reasons:

The Set-Cookie header returns from an HTTPS request to an HTTP website.
"Path" attribute is not set so it defaults to the API URI's path (as explained by Tarun Lalwani).

The syntax that ended up working was:

Set-Cookie: test=working; Domain=.domain.com; Path=/; Secure

Set-Cookie (from AJAX) header not setting cookie in browser

2 Answers2