Return to Answer

• when backend and frontend domains differ the decision if the cookies will be saved in frontend domain cookie storage from received response is brought by the browser. Browser will allow sending cookies ONLY if XHR request has withCredentials=true and correct server Cookie attributes (HTTP Set-Cookie header) are recieved

• when backend and frontend domains differ the decision if the cookies will be sent within request is brought by the browser. Browser will allow this ONLY if XHR request has withCredentials=true

• in other words, if withCredentials=true is ommited - cookies won't be sent within request NOR will be recieved and saved from response

• recieved cookies are allways stored under frontend domain name in browser cookie storage. In case when server domain differs and cookies are saved successfully, the effect is the same as if they have been sent by frontend domain in the first place.

• if SameSite=None cookie attribute is omitted today's browser (Firefox/Chrome) will use default Lax mode which is too strict for cross site cookies

• if Secured cookie attribute is ommited - then SameSite=None will be ignored - it requires Secured to be set

• for localhost Secured cookie property browser does not require HTTPS / SSL, http will work - no need to serve frontend or backend under https://localhost ... EDIT 2022-03-02 - For Safari (v15.1) this is not true -> in Safari http://localhost + cookie with Secure - the cookie will be ignored, not saved in browser (solution: for Safari + http://localhost remove Secure and SameSite if provided).

• when backend and frontend domains differ the decision if the cookies will be saved in frontend domain cookie storage from received response is brought by the browser. Browser will allow sending cookies ONLY if XHR request has withCredentials=true and correct server Cookie attributes (HTTP Set-Cookie header) are recieved

• when backend and frontend domains differ the decision if the cookies will be sent within request is brought by the browser. Browser will allow this ONLY if XHR request has withCredentials=true

• in other words, if withCredentials=true is ommited - cookies won't be sent within request NOR will be recieved and saved from response

• recieved cookies are allways stored under frontend domain name in browser cookie storage. In case when server domain differs and cookies are saved successfully, the effect is the same as if they have been sent by frontend domain in the first place.

• if SameSite=None cookie attribute is omitted today's browser (Firefox/Chrome) will use default Lax mode which is too strict for cross site cookies

• if Secured cookie attribute is ommited - then SameSite=None will be ignored - it requires Secured to be set

• for localhost Secured cookie property browser does not require HTTPS / SSL, http will work - no need to serve frontend or backend under https://localhost ...

EDIT 2022-03-02 - For Safari (v15.1) this is not true -> in Safari http://localhost + cookie with Secure - the cookie will be ignored, not saved in browser (solution: for Safari + http://localhost remove Secure and SameSite if provided).

EDIT 2023-01-13 - @Barnaby reported that "Firefox refuses to set it: 'has been rejected because a non-HTTPS cookie can’t be set as “secure”.'" If this is the case - solution as for Safari should work (see EDIT 2022-03-02 above).

Cross sites cookies problem I solved like this:

Backend

Server side

• serving on: http://localhost:8080
• when creating a response, set Cookie

attributes:

SameSite=None; Secure; Path=/

Client side

Frontend (in my case Angular)

• serving on: http://localhost:4200/
• when sending request to Server (backend)

set XHR.withCredentials=true:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8080/', true);
xhr.withCredentials = true;
xhr.send(null);

My interpretation:

• when backend and frontend domains differ the decision if the cookies will be saved in frontend domain cookie storage from received response is brought by the browser. Browser will allow sending cookies ONLY if XHR request has withCredentials=true and correct server Cookie attributes (HTTP Set-Cookie header) are recieved

• when backend and frontend domains differ the decision if the cookies will be sent within request is brought by the browser. Browser will allow this ONLY if XHR request has withCredentials=true

• in other words, if withCredentials=true is ommited - cookies won't be sent within request NOR will be recieved and saved from response

• recieved cookies are allways stored under frontend domain name in browser cookie storage. In case when server domain differs and cookies are saved successfully, the effect is the same as if they have been sent by frontend domain in the first place.

• if SameSite=None cookie attribute is omitted today's browser (Firefox/Chrome) will use default Lax mode which is too strict for cross site cookies

• if Secured cookie attribute is ommited - then SameSite=None will be ignored - it requires Secured to be set

• for localhost Secured cookie property browser does not require HTTPS / SSL, http will work - no need to serve frontend or backend under https://localhost ...

Hints for diagnostics:

• in order to check if the cookies are sent - open browser developer tools and check Network tab. Find the request to backend and check Headers - search for Cookie header in Request headers, and Set-Cookie in Response headers
• in order to check if the cookies are saved - open browsers developer tools, see Storage manager (Firefox), check Cookies and search for frontend domain name, check if the cookie exists and if does, check when it was created ...
• don't forget to set CORS on backend first

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Cross sites cookies problem I solved like this:

Backend

Server side

• serving on: http://localhost:8080
• when creating a response, set Cookie

attributes:

SameSite=None; Secure; Path=/

Client side

Frontend (in my case Angular)

• serving on: http://localhost:4200/
• when sending request to Server (backend)

set XHR.withCredentials=true:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8080/', true);
xhr.withCredentials = true;
xhr.send(null);

My interpretation:

• when backend and frontend domains differ the decision if the cookies will be saved in frontend domain cookie storage from received response is brought by the browser. Browser will allow sending cookies ONLY if XHR request has withCredentials=true and correct server Cookie attributes (HTTP Set-Cookie header) are recieved

• when backend and frontend domains differ the decision if the cookies will be sent within request is brought by the browser. Browser will allow this ONLY if XHR request has withCredentials=true

• in other words, if withCredentials=true is ommited - cookies won't be sent within request NOR will be recieved and saved from response

• recieved cookies are allways stored under frontend domain name in browser cookie storage. In case when server domain differs and cookies are saved successfully, the effect is the same as if they have been sent by frontend domain in the first place.

• if SameSite=None cookie attribute is omitted today's browser (Firefox/Chrome) will use default Lax mode which is too strict for cross site cookies

• if Secured cookie attribute is ommited - then SameSite=None will be ignored - it requires Secured to be set

• for localhost Secured cookie property browser does not require HTTPS / SSL, http will work - no need to serve frontend or backend under https://localhost ... EDIT 2022-03-02 - For Safari (v15.1) this is not true -> in Safari http://localhost + cookie with Secure - the cookie will be ignored, not saved in browser (solution: for Safari + http://localhost remove Secure and SameSite if provided).

Hints for diagnostics:

• in order to check if the cookies are sent - open browser developer tools and check Network tab. Find the request to backend and check Headers - search for Cookie header in Request headers, and Set-Cookie in Response headers
• in order to check if the cookies are saved - open browsers developer tools, see Storage manager (Firefox), check Cookies and search for frontend domain name, check if the cookie exists and if does, check when it was created ...
• don't forget to set CORS on backend first

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Cross sites cookies problem I solved like this:

Backend

Server side

• serving on: http://localhost:8080
• when creating a response, set Cookie

attributes:

SameSite=None; Secure; Path=/

Client side

Frontend (in my case Angular)

• serving on: http://localhost:4200/
• when sending request to Server (backend)

set XHR.withCredentials=true:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8080/', true);
xhr.withCredentials = true;
xhr.send(null);

My interpretation:

• when backend and frontend domains differ the decision if the cookies will be saved in frontend domain cookie storage from received response is brought by the browser. Browser will allow sending cookies ONLY if XHR request has withCredentials=true and correct server Cookie attributes (HTTP Set-Cookie header) are recieved

• when backend and frontend domains differ the decision if the cookies will be sent within request is brought by the browser. Browser will allow this ONLY if XHR request has withCredentials=true

• in other words, if withCredentials=true is ommited - cookies won't be sent within request NOR will be recieved and saved from response

• recieved cookies are allways stored under frontend domain name in browser cookie storage. In case when server domain differs and cookies are saved successfully, the effect is the same as if they have been sent by frontend domain in the first place.

• if SameSite=None cookie attribute is omitted today's browser (Firefox/Chrome) will use default Lax mode which is too strict for cross site cookies

• if Secured cookie attribute is ommited - then SameSite=None will be ignored - it requires Secured to be set

• for localhost Secured cookie property browser does not require HTTPS / SSL, http will work - no need to serve frontend or backend under https://localhost ...

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Cross sites cookies problem I solved like this:

Backend

Server side

• serving on: http://localhost:8080
• when creating a response, set Cookie

attributes:

SameSite=None; Secure; Path=/

Client side

Frontend (in my case Angular)

• serving on: http://localhost:4200/
• when sending request to Server (backend)

set XHR.withCredentials=true:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8080/', true);
xhr.withCredentials = true;
xhr.send(null);

My interpretation:

• when backend and frontend domains differ the decision if the cookies will be saved in frontend domain cookie storage from received response is brought by the browser. Browser will allow sending cookies ONLY if XHR request has withCredentials=true and correct server Cookie attributes (HTTP Set-Cookie header) are recieved

• when backend and frontend domains differ the decision if the cookies will be sent within request is brought by the browser. Browser will allow this ONLY if XHR request has withCredentials=true

• in other words, if withCredentials=true is ommited - cookies won't be sent within request NOR will be recieved and saved from response

• recieved cookies are allways stored under frontend domain name in browser cookie storage. In case when server domain differs and cookies are saved successfully, the effect is the same as if they have been sent by frontend domain in the first place.

• if SameSite=None cookie attribute is omitted today's browser (Firefox/Chrome) will use default Lax mode which is too strict for cross site cookies

• if Secured cookie attribute is ommited - then SameSite=None will be ignored - it requires Secured to be set

• for localhost Secured cookie property browser does not require HTTPS / SSL, http will work - no need to serve frontend or backend under https://localhost ...

Hints for diagnostics:

• in order to check if the cookies are sent - open browser developer tools and check Network tab. Find the request to backend and check Headers - search for Cookie header in Request headers, and Set-Cookie in Response headers
• in order to check if the cookies are saved - open browsers developer tools, see Storage manager (Firefox), check Cookies and search for frontend domain name, check if the cookie exists and if does, check when it was created ...
• don't forget to set CORS on backend first

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie