I maintain an e-commerce shopping site (or "cart") for an external client. They have their own separate web site on their own server on a different domain. Their site links to our cart, opening it in a new tab or window (with target="_blank" in the link). When clicking on a link that is on their site, and pointing to our cart, any previously set session cookies for our cart are not included in the HTTP request.
If you log into our cart, then navigate to any other site and come back, the cookie is still set in our cart and you are still logged in. If you navigate to their site (but don't click on the link to our site) and then navigate back to our cart, you are still logged in. If I copy the URL from the link on their site and paste it into the browser's location bar, the cookie is still set and you are still logged in. If I click the same link on any other page (or a different link but with the same URL), the cookie is still set and you are still logged in.
It is only -- as far as I can see so far -- when exactly that link is clicked on exactly that page on the client's site that the cookie is not included in the request.
Since it seems to be specific to that link on that page on the client's external site, my best theory was that something in the HTTP headers that came with that page was instructing the browser not to include cookies in HTTP requests that are initiated by clicking links on that page. The headers included in the response seem to be fairly standard (date, cache-control, etag, age, x-served-by, x-cache, vary, server-timing, set-cookie, x-seen-by, alt-svc, and X-Firefox-Spdy) and nothing among seems to say "Don't respect cookies for sites linked to from here."
The cookie has the HttpOnly attribute set, so should not be visible or manipulable by the browser.
The server for the client's external site is serving HTTP/2, while our server is serving HTTP/1.1. My research on the differences between the protocol versions has not yet turned up any reason why that should be a factor, but I mention it only because I am otherwise so bereft of explanations for why this is happening.
Any ideas on why the cookie for our cart is not being sent with requests to our cart, but only if the request was the result of clicking that one link on that one page, or what I can do to fix it on this end, or what I can get the client to change on their end?
Thank you.
You are probably experiencing the result of not setting the samesite cookie attribute to the correct value for your situation.
When you want to include cookies in both POST/GET operations across sites, you must set both samesite=none and the secure attribute.
Like this:
Set-Cookie:SessionCookie=xxxxxxxxxx; SameSite=None; Secure
Also, you must use HTTPS.
If you don't set them, cookies will only be included in safe GET requests and not in POST requests across sites. (lax mode)
To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging cookie problems