Set-Cookie Header Not Appearing In Google Chrome

10
votes

Problem

I am running a Spring Boot server with a Post endpoint that sets a cookie. When making a request to the endpoint from my angular app I do not see the Set-Cookie header in the response headers in Chrome's dev console. Why is the Set-Cookie header not showing up?

Investigation Summary

The Set-Cookie response header does show up in the response headers when using curl, Set-Cookie is also present on Safari, and it shows up in the chrome net-export logs.

Environment

  • I added an entry for xxx.com to point to my localhost in my /etc/hosts file on my mac.
  • I am hosting the angular UI with the ng serve --host 0.0.0.0 --disable-host-check command at http://example.com:4200.
  • I am running the spring boot server at http://example.com:8080
  • The post endpoint of interest is at http://example.com:8080/accounts/v1/user/authenticate
  • Using the latest version of chrome Version 73.0.3683.103 (Official Build) (64-bit)

Attempted Debugging

Safari

The Set-Cookie header is visible in the response headers in the Safari developer console.

Chrome

Chrome Dev Console

Went to the devconsole -> network -> authenticate request. I viewed the request and response headers and Set-Cookie was not there.

Request headers

Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: http://example.com:4200
Referer: http://example.com:4200/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

Response headers

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://example.com:4200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Type: application/json;charset=UTF-8
Date: Wed, 17 Apr 2019 21:58:52 GMT
Expires: 0
Pragma: no-cache
Server: nginx/1.15.6
Transfer-Encoding: chunked
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

Using Chrome chrome://net-export/

I saved the logs for the post request. Interestingly the Set-Cookie header does appear in these logs. Additionally the Cookie header does show up in the request as well (probably got saved from a previous attempt).

t=190196 [st=  0] +REQUEST_ALIVE  [dt=125]
                   --> priority = "MEDIUM"
                   --> url = "http://example.com/accounts/v1/user/authenticate"
t=190196 [st=  0]    NETWORK_DELEGATE_BEFORE_URL_REQUEST  [dt=0]
t=190196 [st=  0]   +URL_REQUEST_START_JOB  [dt=124]
                     --> load_flags = 0 (NORMAL)
                     --> method = "POST"
                     --> privacy_mode = 0
                     --> upload_id = "0"
                     --> url = "http://example.com/accounts/v1/user/authenticate"
t=190197 [st=  1]      NETWORK_DELEGATE_BEFORE_START_TRANSACTION  [dt=0]
t=190197 [st=  1]      HTTP_CACHE_GET_BACKEND  [dt=0]
t=190197 [st=  1]     +HTTP_STREAM_REQUEST  [dt=0]
t=190197 [st=  1]        HTTP_STREAM_JOB_CONTROLLER_BOUND
                         --> source_dependency = 16598 (HTTP_STREAM_JOB_CONTROLLER)
t=190197 [st=  1]        HTTP_STREAM_REQUEST_BOUND_TO_JOB
                         --> source_dependency = 16599 (HTTP_STREAM_JOB)
t=190197 [st=  1]     -HTTP_STREAM_REQUEST
t=190197 [st=  1]      UPLOAD_DATA_STREAM_INIT  [dt=0]
                       --> is_chunked = false
                       --> net_error = 0 (?)
                       --> total_size = 43
t=190197 [st=  1]     +HTTP_TRANSACTION_SEND_REQUEST  [dt=0]
t=190197 [st=  1]        HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                         --> POST /accounts/v1/user/authenticate HTTP/1.1
                             Host: example.com
                             Connection: keep-alive
                             Content-Length: 43
                             Accept: application/json, text/plain, */*
                             Origin: http://example.com:4200
                             User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
                             Content-Type: application/json
                             Referer: http://example.com:4200/
                             Accept-Encoding: gzip, deflate
                             Accept-Language: en-US,en;q=0.9
                             Cookie: Authorization="xxxx"
t=190197 [st=  1]        HTTP_TRANSACTION_SEND_REQUEST_BODY
                         --> did_merge = false
                         --> is_chunked = false
                         --> length = 43
t=190197 [st=  1]        UPLOAD_DATA_STREAM_READ  [dt=0]
                         --> current_position = 0
t=190197 [st=  1]        UPLOAD_DATA_STREAM_READ  [dt=0]
                         --> current_position = 43
t=190197 [st=  1]     -HTTP_TRANSACTION_SEND_REQUEST
t=190197 [st=  1]     +HTTP_TRANSACTION_READ_HEADERS  [dt=122]
t=190197 [st=  1]        HTTP_STREAM_PARSER_READ_HEADERS  [dt=122]
t=190319 [st=123]        HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                         --> HTTP/1.1 200 OK
                             Server: nginx/1.15.6
                             Date: Wed, 17 Apr 2019 21:27:35 GMT
                             Content-Type: application/json;charset=UTF-8
                             Transfer-Encoding: chunked
                             Connection: keep-alive
                             Expires: 0
                             Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                             Set-Cookie: Authorization="xxxx"; Version=1; Domain=.example.com; Max-Age=1031; Expires=Wed, 17-Apr-2019 21:44:46 GMT
                             X-XSS-Protection: 1; mode=block
                             Pragma: no-cache
                             X-Frame-Options: DENY
                             Access-Control-Allow-Origin: http://example.com:4200
                             Vary: Origin
                             Vary: Access-Control-Request-Method
                             Vary: Access-Control-Request-Headers
                             Access-Control-Allow-Credentials: true
                             X-Content-Type-Options: nosniff
t=190319 [st=123]     -HTTP_TRANSACTION_READ_HEADERS
t=190319 [st=123]      NETWORK_DELEGATE_HEADERS_RECEIVED  [dt=0]
t=190320 [st=124]   -URL_REQUEST_START_JOB
t=190320 [st=124]    URL_REQUEST_DELEGATE_RESPONSE_STARTED  [dt=0]
t=190320 [st=124]    HTTP_TRANSACTION_READ_BODY  [dt=1]
t=190321 [st=125]    URL_REQUEST_JOB_FILTERED_BYTES_READ
                     --> byte_count = 698
                     --> bytes = "xxxx"
t=190321 [st=125]    HTTP_TRANSACTION_READ_BODY  [dt=0]
t=190321 [st=125] -REQUEST_ALIVE

Using Chrome Options

Some posts suggested disabling this chrome option chrome://flags/#site-isolation-trial-opt-out. But this had no effect.

Angular

Added withCredentials: true option to my post request in angular. But that did not resolve the issue.

Curl

I tried to simulate a request from the UI using curl

curl -i -H 'Origin: http://example.com:4200' -H 'Accept: application/json, text/plain, */*' -H 'Content-Type: application/json' -H 'Referer: http://example.com:4200/' --request POST --data '{"primaryEmailAddress":"[email protected]"}' http://example.com:8080/accounts/v1/user/authenticate

The response headers to the request contained the set cookie header

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: Authorization="Bearer xxxx"; Version=1; Domain=.example.com; Max-Age=545; Expires=Wed, 17-Apr-2019 22:00:46 GMT
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Date: Wed, 17 Apr 2019 21:51:41 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://example.com.com:4200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
Transfer-Encoding: chunked
Content-Type: application/json;charset=UTF-8
2
angulargoogle-chromespring-boothttp

2 Answers

2
votes

I noticed this same behavior (using Chrome 75). I don't know why Chrome dev tools doesn't show the Set-Cookie response header under the Network tab. (It seems like it should.) However, you can verify that the cookie has been set if you look under the Application tab (see Application -> Storage -> Cookies). There, you can also edit and clear cookies.

0
votes

It seems that this was happening due to a bug in Chrome. Updating Chrome to the latest version resolved it for me.