1

I'm trying to send some cookies up with a request from some Go code I'm writing, and it seemingly does not work with localhost cookies. Is there an option or something that needs to be done to make this work?

The cookie itself is present, when I print out the cookie jar just before the request, I can see the following contents:

"Cookie Jar"="&{psList:<nil> mu:{state:0 sema:0} entries:map[localhost:map[localhost;/;{COOKIE_NAME}:{Name:{COOKIE_NAME} Value:{COOKIE_VALUE} Quoted:false Domain:localhost Path:/ SameSite:SameSite=Lax Secure:true HttpOnly:true Persistent:true HostOnly:true Expires:{wall:13961957429007098536 ext:43201850773835 loc:0x105fa4e80} Creation:{wall:13961911043360301736 ext:1850773835 loc:0x105fa4e80} LastAccess:{wall:13961911043360301736 ext:1850773835 loc:0x105fa4e80} seqNum:0}]] nextSeqNum:1}"

req.URL is http://localhost:8080/api/v1/account and client.Jar.Cookies(req.URL) returns an empty array. All of this info is the state of the client directly before calling client.Do(req), so from my understanding, while the cookie is present, because client.Jar.Cookies(req.URL) is returning an empty array, no cookies are being inserted.

My question is why can it not find the localhost cookie for a localhost URL?

Improve this question
3
  • 1
    Can you please try to provide a Minimal, Reproducible Example - something like this. Currently I don't think the question has enough detail to enable us to answer (don't have a clear idea of what is in the jar, or what url you are passing in). But note that I don't think Go will send a secure cookie if you are not using a secure connection (even to localhost). Commented Nov 5, 2024 at 0:09
  • go.dev/play/p/ne8eohw86n0 can you turn that into an actual example of your issue? Seems to be working fine to me Commented Nov 5, 2024 at 3:16
  • Apologies for the low detail, I am extremely new to go, essentially learning while debugging, so was hoping it could be a simple config issue or something. But @Brits had it spot on! Changing the cookie to be non-secure does the trick! If you make that an answer, I'll go ahead and accept it! Commented Nov 5, 2024 at 15:32

1 Answer 1

Reset to default
1

As discussed in this issue Go's cookiejar.Jar will not send a cookie flagged as Secure if the URL specifies http (as opposed to https or something else).

Cookies flagged as secure should only be sent over a secure link, but there is generally an exception for localhost as stated in MDN:

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost)

The issue is still open so this may change, but for now the simplest solution is to set Secure to false.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Just hit this issue experimenting with gorilla/sessions. 30 minutes after original answer appeared, can you believe it ))

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.