I'm setting a cookie in a response from my web service. The set-cookie header is coming through, and I can see the cookie in the network tab in Chrome, but the cookie isn't being stored. It doesn't show up in the resources->cookies tab, and the cookie isn't sent with subsequent requests. Nothing shows up in the JS console. I've also tried leaving the domain field off the cookie, but it still isn't stored.
Is there a way to debug the browser to understand why the cookie was rejected from being stored?
Turns out it had to do with the way I was making the request. I expected fetch() to work the same way as XHR requests. Setting credentials: 'include' on my fetch call resolved the problem. See 5.6.14 of the fetch spec
Related
Ive made some configurations to (finally) have my cookies set on HTTP only.
"Seem" to work.
Ive tried them with postman and I have the following:
When I hit the login page:
On the cookies section, my cookie with name JSESSIONID appears to be HTTP only (it has the check)
When I enter to the logged area , the same result...
The headers dont give me more details.
Then,
I check it with google chrome. I open the developers toolbar.
I load the login page.
At the headers on the response headers I get
Set-Cookie: JSESSIONID=434434..... HttpOnly
So, its fine (I guess).
Then I reload the page (or sign in).
Then the problem:
No response headers received.
The Request Headers brings my cookie (with the same ID at then the previous one) without the httponly, host info or any other cookie value I set before.
At the cookies tab I get Request Cookies only and no Response cookie.
And the request cookie is non http-only
At my resources tab, the Cookie is there, as HTTP only and with the previous values I set.
My question now is... Is it a really http-only cookie? Or my configuration is not properly set?
Should I always get the response cookie or the request cookie should be always http-only (In case I am trying to set it as http-only) or is this behavior normal (or at least accepted) ?
When I try to print my cookie with Javascript at both scenarios I get a null as response (what makes me think then it is correct).
Ideas?
Client doesn't send cookie attributes other than name and value back to server.
See also RFC6265 section 4.2.2 (emphasis mine).
4.2.2. Semantics
Each cookie-pair represents a cookie stored by the user agent. The
cookie-pair contains the cookie-name and cookie-value the user agent
received in the Set-Cookie header.
Notice that the cookie attributes are not returned. In particular,
the server cannot determine from the Cookie header alone when a
cookie will expire, for which hosts the cookie is valid, for which
paths the cookie is valid, or whether the cookie was set with the
Secure or HttpOnly attributes.
Everything's behaving as specified.
In my application I have filter that sets cookie:
HttpContext.Response.Cookies.Append("myCookie", "value")
When I print cookie value in my view:
HttpContext.Request.Cookies["myCookie"];
it is not there. If I refresh page cookie is set. This happens because using Response.Cookies.Append does not update Request.Cookies collection. Is there way to view current cookies with changes made during request?
In my web application I have IAsyncActionFilter, that updates cookie, however corrected value is visible only after page is refreshed, and I would like to finish current request with new value. I know that it will be set by browser when response finishes, but I already know that I have new value for that cookie, and I would like to propagate this value to views reading cookies.
No. This is how cookies work. They are sourced from the client. In other words, the cookie is set by the client after it receives the response from the server with the Set-Cookie header. It's then only after the client makes another request, sending the cookie back, that it exists server-side. It's not clear what you're trying to achieve ultimately here, but you need to force a new request after setting a cookie, to access that cookie, even if that's simply returning a redirect to the same page.
I try to get cookie information with CookieManager in Android WebView. However, all it does is providing a key value pair of cookies, no additional information.
I also tried this post and use connection.getHeaderFields.get("Set-Cookie"); to get all cookies received from server. But from what I can tell, I don't see all cookies that I am supposed to receive from server. This can also be found by some cookies in CookieManger receive a new value but not show in Set-Cookie field.
Ideally, I would like to intercept every response and inspect their cookies with all information from server such as name, value, max-age, secure, etc. Any suggestion how to do this with Android WebView (WebViewClient)?
I found out that for some users of my website the _ga (client id) cookie is empty while I really need it in my script for 100% of users.
I found this out by logging what's happening in my PHP script. This is strange to me, because for me the _ga cookie is always present, no matter which browser I use.
1) Why can the _ga cookie be empty?
2) Is there any way to force creating it? Or maybe there is another way to find out the client id of the user on the server-side?
If javascript or cookies are disabled on client browser cookies always will be empty. You can implement additional logic on server to form an id from IP and/or User-Agent header of request if cookies are empty.
I'm not trying to send cookie data with the xmlhttprequest, rather I'm trying to use the xmlhttprequest to set cookies for the session without requiring user interaction.
According to the spec:
If the user agent supports HTTP State Management it should persist, discard and send cookies (as received in the Set-Cookie and Set-Cookie2 response headers, and sent in the Cookie header) as applicable.
As far as I've managed to tell, Firefox 3.6 will store the cookies, but they won't be available to the document of the page which executed the query through document.cookie. But they will be sent with subsequent XMXHttpRequests, which is sufficient for my uses.