http://i.stack.imgur.com/4XK7k.png
i used cookie for login,but sometimes it's mismatched.
Is cookie available for the same domain with each request?
Request cookies are cookies that are created on client side. They are sent to server in Cookie HTTP header in every request matching with cookie domain(ie. .com,.org,subdomain.com) and path (ie. /login, /questions) and protocol(HTTP, HTTPS). So stackoverflow will not receive cookies of facebook.
Server may choose to do something when it receives the cookies or may choose to ignore them. This kind of cookies can be used to store shopping cart type data.
Response cookies are the cookies created on server side. These are sent in Set-Cookie HTTP header from the server to client. HTTP clients (like browsers) are expected to read this header and create cookies contained in the value of this header. Every subsequent request to the server will be made with the these cookies (matching domain/path/protocol). Since server already knows about this cookie it can match from it's cookie store and check if this request is coming from the same host thus providing assigning state to the request. This kind of cookies can be used to validate user session.
Response cookies are sent once in first response from the server and client cookies are sent in every request to the server.
See example server response with cookies
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: theme=light
Set-Cookie: sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
Subsequent request from client would be something like below
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: theme=light; sessionToken=abc123
Request Cookie = Cookie You send along with your request.
Response Cookies = Http header name Set-Cookie which basically contains "Request Cookie" value for future requests.
Related
I have a quart (basically flask) web-app that is doing OAuth2 with discord. It seems to be working in the cloud, but locally the set-cookie header that appears in the http response after discord authorizes the user is being IGNORED by the browser.
there is an HTTP response with set-cookie. the next request is the callback uri and it has a different session cookie! This is a serious problem and I'm completely stumped. It only seems to be happening on local host? I've read some about browsers ignoring set-cookie, but I have no domain in the set-cookie field and my path is "/"
Response from discord
session=<cookie_A>; Expires=Thu, 08-Oct-2020 19:22:57 GMT; HttpOnly; Path=/
request for callback url
session=<cookie_B>
I'm trying to have the expiration of an existing cookie on a site update from "Session" to some date in the future using the Set-Cookie header.
I believe my issue has to do with limitations on how browsers interpret the Path directive on the Set-Cookie header but I'm not sure nor can I find a use case quite like mine.
Example use case:
Browser navigates to:
GET / HTTP/2
Host: example.com
Server replies:
HTTP/2 200
set-cookie: PHPSESSID=abcd; Path=/; SameSite=None; Secure
Browser performs action and navigates to:
POST /some/path HTTP/2
Cookie: PHPSESSID=abcd;...
Server replies:
HTTP/2 302
Set-Cookie: PHPSESSID=dcba; expires=Mon, 17-Aug-2020 19:08:24 GMT; Max-Age=7776000; path=/
Location: /somewhere-else
All following requests from the browser contain the updated cookie value:
Cookie: PHPSESSID=dcba;...
Yet, upon inspecting the cookies with the dev tools (or simply closing the browser) I noticed that the Expires/Max-Age of the cookie is still "Session" (tried on Chrome and Firefox).
Is being able to update the value but not the expiration of a cookie through a Set-Cookie header a known/expected behavior? Or is there perhaps something wrong with how it's formed?
For any that come across this question/issue:
I discovered(?) that with each Set-Cookie header received: the browser will update the Expiration/Max-Age of that cookie to "Session" if it is absent but will not update other directive values to anything else if they are absent (such as the Secure flag or the value for SameSite).
This revealed that the underlying issue was that, in the next page, there was a request happening with the Set-Cookie header but did not have any value for the expires/Max-Age directives thus resetting the expiration to "Session", making the solution to ensure every Set-Cookie response header has a deliberate value (or absence) for the expires and/or Max-Age directive.
Explained with raw http, continuing the example in the question:
If the response for say an ajax request comes back with:
HTTP/2 200
Set-Cookie: PHPSESSID=efgh; Path=/; SameSite=None; Secure
Then the browser will update the cookie's value and set its expiration from "17-Aug-2020 19:08:24 GMT" to "Session".
Making the solution, as mentioned before, to ensure that the response contains the correct (or deliberate) value for the expires or Max-Age directive, so the correct response for the ajax call that accidentally set the expiration to "Session" in the example above would be something like:
HTTP/2 200
Set-Cookie: PHPSESSID=efgh; expires=Mon, 17-Aug-2020 19:08:24 GMT; Max-Age=7775900; Path=/
I have a situation where my web application will respond with cookie Rules=abcdefg for each request.
Request 1:
http : //hostname:8080/teja/axftyo (for this request I am setting cookie path as below, response from server)
Set-Cookie: Rules=HCE0F290B77137721C2F6107DD4B62F28;Path="/teja/axftyo"
Request 2:
http : //hostname:8080/teja/bcdefg
I assume that for request 2 Rules cookie should not be sent, but still the browser is sending this cookie in to the server.
How can I achieve the functionality of browser sending different cookies based on the path (/bcdefg) rather by my application name /teja
Thank you.
Cookie paths only work on a directory level. /dir/a and /dir/b are considered to be in the same scope for cookies.
/dir/a/ and /dir/b/, on the other hand, are distinguishable, so you could consider adding trailing slashes to your URLs.
I'm developing a small site w/ Go and I'm trying to set a cookie from my server.
I'm running the server on localhost, with 127.0.0.1 aliased to subdomain-dev.domain.com on port 5080.
My When I receive the response for my POST to subdomain-dev.domain.com:5080/login I can see the set-cookie header. The response looks like this:
HTTP/1.1 307 Temporary Redirect
Location: /
Set-Cookie: myappcookie=encryptedvalue==; Path=/; Expires=Fri, 13 Sep 2013 21:12:12 UTC; Max-Age=900; HttpOnly; Secure
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Date: Fri, 13 Sep 2013 20:57:12 GMT
Why isn't Chrome or Firefox recording this? In Chrome it doesn't show up in the Resources tab. In FF I can't see it either. And in neither do I see it in future Request headers.
See that Secure string in the cookie?
Yeah, me too. But only after a few hours.
Make sure you're accessing your site by SSL (https:// at the beginning of the URL) if you've got the Secure flag set.
If you're developing locally and don't have a cert, make sure you skip that option.
In my case, I had to add this to my response:
access-control-expose-headers: Set-Cookie
I found here that my Set-Cookie header was not accessible to my client unless I added it to the exposed-header header.
Hope this can help someone!
Found related github issue response cookies not being sent that helped.
In my case I am running react app under https (with mkcert tool) and making cross origin fetch request and get response. Cookies of the response is not set until I
specify credentials: 'include' for fetch request
example fetch api
fetch('https://example.com', {
credentials: 'include'
});
Specify these response headers from server
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:3000
Access-Control-Allow-Origin header has value of the url of my react app.
add these attributes of Set-Cookie Header Path=/; HttpOnly; Secure; SameSite=None using http cookies
Hope it helps someone!
I have a.example.com and it sets a cookie for .example.com. Later on a.example.com sends an ajax request to b.example.com. I expect the.example.com cookie to be sent to b.example.com. But it is not.
I made sure the cookie was set on the right domain, but it does not seem to send the cookie in the ajax request for some reason.
# server A
res.cookie('images', tokens.images, { expires: config.pageExpiration(), secure: secure, domain: domain })
# server B
req.cookies.image
This makes sense, as you wouldn't expect *.com cookies to be mixed.
I suggest you pass your cookies through a server request if you really need to.