I'm testing an app locally and am making an authorization request to http://localhost:3000/api/auth/login. A set-cookie header is returned in the response with a JWT auth token. The JWT looks like:
JWT-TOKEN=[really long alphanumeric string];Version=1;Comment=;Domain=;Path=/;Max-Age=3600;;HttpOnly
Afterwards, I'm making another request to http://localhost:3000/api/other/resource and am getting an unauthorized error as it's expecting a cookie with the JWT token in the request.
The Cookie is being set in Firefox, Safari and Chrome but not Edge. Nothing in the Edge dev tools console that anything went wrong. Any ideas why the cookie is not being set in Edge?
I found an answer that worked in my case.
We were using fetch on the client. In some older browsers, the native fetch implementation would default to credentials: "omit", whereas newer browsers default to credentials: "same-origin".
As such, adding this option seemed to allow Edge to receive cookies in fetch requests, such as
fetch('/users', {
credentials: 'same-origin'
})
https://github.com/github/fetch#sending-cookies for reference. Despite the name of the heading, "omit" will disable both sending AND receiving cookies.