How to tell why a cookie is not being sent?

google-chrome http cookies google-chrome-devtools developer-tools

20,584

Solution 1

This is a Chrome specific bug. No fix yet..

#56211 chrome.cookies fails for localhost domains

https://code.google.com/p/chromium/issues/detail?id=56211

May also want to read this question. It isn't specific to chrome like this question, but it is specific to localhost behavior (unlike this question).

Solution 2

How to tell why a cookie is not being sent:

Go to network tab, and click the request that is not being sent with your cookie.
Go to the "Cookies" tab just appeared.
Check "show filtered out request cookies" to see all the cookies that wasn't sent, they'll appear in yellow.

Then a little "i" label will appear next to the property that is preventing the cookie from being sent. You can hover over to see the detail:

Solution 3

The problem is this:

domain=dev;

Quoting from RFC 2945:

The value of the Domain attribute specifies the domain for which the cookie is valid. If an explicitly specified value does not start with a dot, the user agent supplies a leading dot.

So the web client will only send the cookie if the host address ends in .dev.

Try sending the cookie without the domain attribute.

Solution 4

In my case, it was because Fetch API doesn't send cookies unless credentials: "include" is given as an option.

fetch('API_ENDPOINT',{
  method: 'POST',
  credentials: 'include',
  body: JSON.stringify(some_json_obj)
})

Also, I had to configure the Node.js ( express.js ) backend CORS as follows.

const cors = require('cors')

const corsOptions = {
  origin: 'http://localhost:3000',
  credentials: true
}

app.use(cors(corsOptions));

Solution 5

If you are on a cross domain request and using an XHR client (like the fetch API), be careful about the withCredentials parameter.

The XMLHttpRequest.withCredentials property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.

View more solutions

20,584

Author by

Evan Carroll

#1 User for DBA.SE 2017. Available for contracting: 281.901.0011 PostgreSQL & PostGIS / MySQL / SQL Server JavaScript, Typescript, Rx.js, Node.js, Angular Also: C / Perl / Python / Rust / x86 Assembly

Updated on February 12, 2022

Comments

Evan Carroll about 2 years

I'm using chrome and I'm wondering if there is either an extension or a method to tell why a cookie is not being sent.

I have one request I'm making to http://dev/login and it's returning,

Set-Cookie:DevId=cffbc7e688864b6811f676e181bc29e6; domain=dev; path=/; expires=Tue, 16-Jun-2015 21:27:43 GMT

However, on a post to http://dev/Base/User/home/ I'm not sending the DevId cookie. I'd love to know why the cookie isn't being sent if anyone happens to know. But, moreover, I'd love to know how I can tell why and how to better debug this problem in the future.

Here are some requests, as captured from Chrome's Dev tools

So here is my response from /login (notice Set-Cookie header),

HTTP/1.1 200 OK
Date: Tue, 16 Jun 2015 19:57:43 GMT
Server: Apache
Pragma: no-cache
Cache-control: no-cache, max-age=0
Set-Cookie: DevId=cffbc7e688864b6811f676e181bc29e6; domain=dev; path=/; expires=Tue, 16-Jun-2015 21:27:43 GMT
Cache-Control: max-age=0
Expires: Tue, 16 Jun 2015 19:57:43 GMT
Keep-Alive: timeout=10, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json; charset=ISO-8859-1

And here is my post to /Base/User/home/1 (notice no cookie),

POST /Base/User/home/ HTTP/1.1
Host: dev
Connection: keep-alive
Content-Length: 0
Origin: http://dev
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.81 Chrome/43.0.2357.81 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.2
X-Requested-With: XMLHttpRequest
Referer: http://dev/user/1/home
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

Evan Carroll almost 9 years

This works in Firefox, and that's not how it it's supposed to work. At least according to this post. The useragent is supposed to "supply" the dot, so it's written as .dev which should submit the cookie on dev and any subdomains of dev.
Arlo over 5 years

Yet when I use Incognito Mode or a different Chrome profile it works. So I'm confused why this is only an issue in my normal Chrome profile.
Aniket Singla over 3 years

thanks man, I was looking for this from 3 days.
skainswo over 3 years

On problematic requests, I'm finding that the Cookies tab does not appear.
Lucas Said over 3 years

@skainswo This might help you: https://stackoverflow.com/questions/55414344/chrome-network-‌request-does-not-sho‌w-cookies-tab-some-r‌equest-headers-copy-‌as. Though the answer there didn't work for me.
mrblue almost 2 years

Thanks Lucas! I couldn't find the issue for couple of hours. I didn't know about this option in chrome.