I am setting a header with php's setcookie
like:
setcookie('xxx', 'xxx', ['path'=>'/', 'samesite'=>'Strict', 'secure'=>1, 'httponly'=>1]);
In their developer tool, both Chrome and Edge show:
xxx=xxx; path=/; secure; HttpOnly; SameSite=Strict
with an orange triangle which states: 'This Set-Cookie header had a invalid syntax.' when hovered over.
There are no errors or warnings shown under the Issues tab, whereas leaving out any of the values shown above did.
FireFox has no problem and it sends it back with the next request.
Why is it so?
P.S.: It is running in https on a web-facing server. All latest browser versions.
For comparison, this is from a Samsung site, and it's ok:
JSESSIONID=371E1F0AFB88D3FBF0A1DF4B99432193; Path=/; Secure; HttpOnly
Addendum
The issue was that a separate Clear-Site-Data
header included "cookies"
, thus making Edge and Chrome ignore the cookie, but included a very misleading error message which gave no clue to where the problem lay.
Firefox saw no problem at all and used the cookie, but that may be because it doesn't clear the cookies out until after the next request. It is the response that tells the browser to clear all cookies, so why does Firefox sneak in one last request?
Clearly there is an inconsistency between browser engines as to when Clear-Site-Data
should apply from.
All browsers should provide an error when a cookie is set but Clear-Site-Data
tells it to clear the cookies. While not a breach of any technical specification, this is clearly a mistake that causes the cookie to fail in its purpose, and the developer needs to know why their code catastrophically fails.
False reason for closing
This question was closed as being not reproducible or was caused by typos
.
This is false as it is both:
Currently reproducible (create a cookie and include "cookies"
in a Clear-Site-Data
header) and
Not as a result of a typo (both contributors to the issue were deliberately constructed statements, even if the consequences were not clear, which is exactly the type of thing that SO can help people with).
I contend that it is the misleading error messages and inconsistent behaviour between browsers that this question and its solution may be of use.
Mea culpa!
There had to be a simple answer, and that was that another setting was preventing the cookie being used.
I had a Clear-Site-Data
header that included "cookies". Removing "cookies' from that header meant the cookie became usable.
What was problematic was that Chrome and Edge gave misleading indicators, since the problem was not about invalid syntax at all.
FireFox seemed to have ignored the header altogether. Of course, there may some subtleties around when the cookies are deleted.
If anything, the browser developer tools could have listed a warning item that stated that the cookie was ignored due to the Clear-Site-Data
header, since creating a cookie only to have it ignored before it could be used is likely to be a mistake or oversight, especially since the cookie couldn't be read by JavaScript due to HttpOnly
, meaning that it couldn't access the cookie value before it would be ignored.
This issue is now solved.