I have a local server that successfully sets an HtmlOnly cookie on a local client, but the same code on a remote server is not setting the cookie.
The local server is a Chalice server running on http://localhost:8000. The response headers are:
{
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': 'http://localhost:5000',
'Access-Control-Allow-Credentials': 'true',
'Set-Cookie': 'refresh-token=my_token_value; <Max-Age>=605000; Path=/; HttpOnly'
}
The local client is running on http://localhost:5000'. It is calling via fetch:
fetch("http://localhost:8000/login", {
method: 'POST',
headers: {'Content-Type': 'text/plain'},
body: JSON.stringify(payload),
credentials: 'include',
mode: 'cors'
})
The remote server is running on something like https://my-server-domain.com/api. The response headers are:
{
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': 'https://my-client-domain.com',
'Access-Control-Allow-Credentials': 'true',
'Set-Cookie': 'refresh-token=my_token_value; <Max-Age>=605000; Path=/; HttpOnly'
}
The remote client is running on something like https://my-client-domain.com. It is calling the same way as the local client:
fetch("https://my-server-domain.com/api/login", {
method: 'POST',
headers: {'Content-Type': 'text/plain'},
body: JSON.stringify(payload),
credentials: 'include',
mode: 'cors'
})
The API calls to the remote server work -- they return the expected response -- but the cookie is not getting set to the browser. Any suggestions as to why this might be?
The big difference between my local deployment and remote deployment was running over https. What ended up working was setting SameSite=None; Secure to the cookie.