Issue
I work both on client and server. When developing, my client runs on http://localhost:3000/ while my server runs on https://local.somedomain.com. The server sends a cookie like
set-cookie: a=aB5Th....;Path=/;Expires=Sun, 02-Aug-2020 11:26:36 GMT;Max-Age=5184000
This cookie is needed for a download link looking like
https://local.somedomain.com/api/v2/ExportSomething.xlsx
however, it isn't there. As the server didn't specify a domain, it might make sense. OTOH, according to this answer, "You can't modify the cookies of one domain using a servlet or JavaScript hosted on another domain, for security reasons", and I don't want to set any cookie for any domain except the one the server runs on, so I'm asking why to specify anything when there's no choice?
Filtering "Has blocked cookies" in Chromium devtools shows nothing, which I'd interpret as "everything is fine, cookies came through". Am I wrong?
The strange thing is that it used to work one or two weeks ago, at least in Chromium (and I'm very sure about that as I worked a few hours on the export). Now it works in none of the four browsers I have tried. Any explanation?
Assuming it's necessary to specify the domain when setting the cookie, is this comment correct?
Boring details
- every request sets the cookies in the same way
- no requests beside the above download link use cookies
- CORS is obviously needed and works and every request gets handled the same way
- there are no other servers involved
Update
I've just tried cookie.setDomain("local.somedomain.com") and also this with a leading dot and it didn't help.
I also tried leaving out the Max-Age (which also removes Expires which was otherwise added automatically) and it didn't help either (someone claimed that only session cookies work on localhost).
Solution
Possible reasons for such behavior (that I can think of):
- The browser settings reject all third-party cookies (if localhost receives a cookie from
local.somedomain.com, that would be considered third-party) - A browser extension is blocking the cookie
- The
local.somedomain.comserver response does not include the necessary CORS headers to allowlocalhostto receive the cookie. (Access-Control-Allow-Origin must be present and not set to '*', Access-Control-Allow-Credentials must be present and 'true') - Google is messing with you
That last point is actually not a joke, and most likely the cause here. Google has been tweaking the "SameSite" rules for cookies in Chromium, documented here: https://www.chromium.org/updates/same-site
An a related case on SO: Confusion regarding SameSite changes with Chrome
Answered By - Simon
Answer Checked By - Terry (JavaFixing Volunteer)