javascriptajaxcookiesgoogle-chrome-devtoolssafari-web-inspector

Cookies don't show up in developer console of Safari/Chrome with Set-Cookie Header, but exist when looking at server logs


I am storing cookies for my web app using the 'Set-Cookie' header response from my python backend.

enter image description here

Here is my ajax call on the client-end to the function: enter image description here

In developer tools in Chrome and Safari, when I look for the cookies, the cookies don't show up.

On Chrome, the Set-Cookie doesn't even show up in the response header to the network call. enter image description here enter image description here In Safari, the Set-Cookie response header shows up and shows under request/response cookies, enter image description here enter image description here but when I check cookies for the application, nothing shows up. enter image description here

Furthermore, the cookie data shown in Safari is incorrect: it shows an incorrect expiration date and httpOnly/secure which should both be true.

The cookies seem to not exist, but when I log the server, I see clearly that the cookies exist and they appear enter image description here (also safari shows them going back and forth in the request/response headers)which means that the cookies are being properly stored and sent back to the server after every call in the header. I tried earlier to set httpOnly to false and secure to false, but even then the cookies exhibited the same behavior.

These cookies are still under the radar of both developer tools. How can I see the cookies on the browser in developer tools correctly? And what could this problem be?


Solution

  • Have you tried opening a tab to the server https://*.amazonaws.com and checking there instead?

    The cookie will be set on the server's domain, but you won't see it in your local server's cookie storage. The reason is that all web storages are bound by same origin policy and your document can only access storages from its own domain, and the server can only set cookies for it's domain.

    The rationale here is that if I sent you a link to a rogue document, it can't exfiltrate your SO cookies even if they were accessible from JS, neither sending a request to a rogue server can overwrite cookies on SO.