Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Browser does not send cookies when cookie is set on a 303 redirect

Tags:

http

cookies

When I set a cookie in a 303 See Other response, the next request (with the redirected-to location) does not contain the specified cookie. https://www.rfc-editor.org/rfc/rfc7231#section-6.4.4 (on 303 response) does not seem to mention cookies specifically. I can reproduce the issue on both current Firefox and current Chrome. As you can see from the Host headers, all of these are made against the same origin.

Fails

POST /login HTTP/1.1
Host: localhost:22242

HTTP/1.1 200 OK
content-type: text/html
content-length: 694
set-cookie: Authenticating=RrPWNaWsbC013k9QE9zzjJ5C2-c6DKHUnwoKZnL3-knY1aMlxpoGKIm5Kgc
date: Wed, 22 Jul 2020 15:13:14 GMT

POST /mfa/check HTTP/1.1
Host: localhost:22242
Cookie: Authenticating=RrPWNaWsbC013k9QE9zzjJ5C2-c6DKHUnwoKZnL3-knY1aMlxpoGKIm5Kgc

HTTP/1.1 303 See Other
content-length: 0
location: /
set-cookie: Session=k4Bx657138TS2SWdD6KXSxfUy9lddN89HdDOn5_dDLFfvFJwTdEpTGZ_4pw
date: Wed, 22 Jul 2020 15:13:53 GMT

GET / HTTP/1.1
Host: localhost:22242
Cookie: Authenticating=RrPWNaWsbC013k9QE9zzjJ5C2-c6DKHUnwoKZnL3-knY1aMlxpoGKIm5Kgc

Why doesn't the latter request send the Session cookie?

Works

POST /login HTTP/1.1
Host: localhost:22242

HTTP/1.1 200 OK
content-type: text/html
content-length: 718
date: Wed, 22 Jul 2020 15:20:41 GMT

POST /mfa/check HTTP/1.1
Host: localhost:22242

HTTP/1.1 303 See Other
location: /
set-cookie: Session=0WGq8q3Z_chLgf6gUSUnPrivqa8jqvOQJRlDnY8XehQhN4QwIjk0FYwXajI
content-length: 0
date: Wed, 22 Jul 2020 15:21:41 GMT

GET / HTTP/1.1
Host: localhost:22242
Cookie: Session=0WGq8q3Z_chLgf6gUSUnPrivqa8jqvOQJRlDnY8XehQhN4QwIjk0FYwXajI

In this seemingly similar case, the cookie is set correctly after the 303 redirect.

like image 778
djc Avatar asked Nov 16 '25 15:11

djc

2 Answers

This was a PEBKAC: I figured out that the problem here is the implicit default for the Path parameter in Set-Cookie headers. The Path parameter defaults to the current path, meaning the cookie will not be sent to parent paths.

Because I wasn't focused on the paths that much, it's possible I may have the example requests/responses wrong... I'm going to check what's up with that.

like image 107
djc Avatar answered Nov 18 '25 06:11

djc

I had the same issue and ended up here.

In my case it was because the first link came from an external host and my cookie was marked SameSite=Strict. My landing page set a cookie and redirected to the next page, but the request to the second page didn't include that cookie in the request headers as it was considered a cross site request. Requests to subsequent pages did include the cookie.

I was able to fix by setting SameSite=Lax

like image 39
Rich Avatar answered Nov 18 '25 04:11

Rich
Sign in to Comment

Related questions

How do I make the web browser log all activity, including requests, responses, cookie activity, to a log file that I can inspect?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!