set-cookie header not setting cookie in Edge

3
votes

I'm testing an app locally and am making an authorization request to http://localhost:3000/api/auth/login. A set-cookie header is returned in the response with a JWT auth token. The JWT looks like:

JWT-TOKEN=[really long alphanumeric string];Version=1;Comment=;Domain=;Path=/;Max-Age=3600;;HttpOnly

Afterwards, I'm making another request to http://localhost:3000/api/other/resource and am getting an unauthorized error as it's expecting a cookie with the JWT token in the request.

The Cookie is being set in Firefox, Safari and Chrome but not Edge. Nothing in the Edge dev tools console that anything went wrong. Any ideas why the cookie is not being set in Edge?

1
httpcookiesmicrosoft-edgesetcookie
Did you ever solve this? I'm currently looking at exactly the same issue, but also fails on non-local domains.Anthony Manning-Franklin
I found a potential solution but my backend team never got around to trying it out (more pressing issues than compatibility with Edge). Basically, having the "domain" field makes the setting the cookie silently fail. Removing it potentially should fix the issue but since it was never implemented, I didn't bother updating this post. I found another post which mentioned this: stackoverflow.com/a/34766660/1202995tehawtness
I had to use the domain field so that we had subdomain wildcard and it worked perfectly with my solution. I did also find that my node server was setting a Max-Age attribute on the cookie, and removed that too in favour of using Expires.Anthony Manning-Franklin
What did your domain parameter look like?tehawtness
.example.com although it worked equally well without the trailing dot, and the RFC says the trailing dot should make no difference.Anthony Manning-Franklin

1 Answers

3
votes

I found an answer that worked in my case.

We were using fetch on the client. In some older browsers, the native fetch implementation would default to credentials: "omit", whereas newer browsers default to credentials: "same-origin".

As such, adding this option seemed to allow Edge to receive cookies in fetch requests, such as 

fetch('/users', {
  credentials: 'same-origin'
})

https://github.com/github/fetch#sending-cookies for reference. Despite the name of the heading, "omit" will disable both sending AND receiving cookies.