HttpOnly cookie setting in local deployment but not remote deployment

Question

I have a local server that successfully sets an HtmlOnly cookie on a local client, but the same code on a remote server is not setting the cookie.

The local server is a Chalice server running on http://localhost:8000. The response headers are:

{
    'Content-Type': 'application/json', 
    'Access-Control-Allow-Origin': 'http://localhost:5000', 
    'Access-Control-Allow-Credentials': 'true', 
    'Set-Cookie': 'refresh-token=my_token_value; <Max-Age>=605000; Path=/; HttpOnly'
}

The local client is running on http://localhost:5000'. It is calling via fetch:

fetch("http://localhost:8000/login", {
    method: 'POST',
    headers: {'Content-Type': 'text/plain'},
    body: JSON.stringify(payload),
    credentials: 'include',
    mode: 'cors'
})

The remote server is running on something like https://my-server-domain.com/api. The response headers are:

{
    'Content-Type': 'application/json', 
    'Access-Control-Allow-Origin': 'https://my-client-domain.com', 
    'Access-Control-Allow-Credentials': 'true', 
    'Set-Cookie': 'refresh-token=my_token_value; <Max-Age>=605000; Path=/; HttpOnly'
}

The remote client is running on something like https://my-client-domain.com. It is calling the same way as the local client:

fetch("https://my-server-domain.com/api/login", {
    method: 'POST',
    headers: {'Content-Type': 'text/plain'},
    body: JSON.stringify(payload),
    credentials: 'include',
    mode: 'cors'
})

The API calls to the remote server work -- they return the expected response -- but the cookie is not getting set to the browser. Any suggestions as to why this might be?

Answer 1

Try to simple set the cookies directly on client, then send to server

Answer 2

The big difference between my local deployment and remote deployment was running over https. What ended up working was setting SameSite=None; Secure to the cookie.