asp.net mvc - localhost cookies not set

Question

I'm trying to set a cookie in my application.

Here's the code that sets the cookie:

public HttpResponseMessage LogIn(UserLoginVM user)
{
    // Do login stuff

    var cookie = new CookieHeaderValue("STUPID-COOKIE", "12345");
    cookie.Domain = Request.RequestUri.Host;
    cookie.Path = "/";
    cookie.HttpOnly = true;

    // Get user's profile

    HttpResponseMessage res = Request.CreateResponse<UserProfileVM>(HttpStatusCode.OK, profile);
    res.Headers.AddCookies(new CookieHeaderValue[] { cookie });

    return res;
}

The response from the server is the following:

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
Set-Cookie: STUPID-COOKIE=12345; domain=localhost; path=/; httponly
Access-Control-Allow-Origin: *
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcUFJPSkVDVFNcU2Ftc2tpcC5TZXJ2aWNlV2ViTmV3XFNhbXNraXAuQXV0aEFQSVxTYW1za2lwLkF1dGhBUElcbG9naW4=?=
X-Powered-By: ASP.NET
Date: Wed, 18 Feb 2015 11:58:07 GMT
Content-Length: 8019

Notice the following header:

Set-Cookie: STUPID-COOKIE=12345; domain=localhost; path=/; httponly

However, when I go under "Cookies" in "Resources" tab in Chrome, nothing is set. Also when I send a request to the server no cookie is in the headers.

Here's the code that reads the cookie:

CookieHeaderValue cookie = Request.Headers.GetCookies("STUPID-COOKIE").FirstOrDefault();

cookie variable is always null.

My application is running on http://localhost:53998 and the authentication service is running on http://localhost:60858

My Chrome version is 40.0.2214.111.

Here's a GIF demonstrating the problem: http://i.imgur.com/q7lkXBz.gif

Edit: This seems to be non-specific to Chrome. This doesn't work on FireFox (v35) either. GIF: http://i.imgur.com/ZewnEtc.gif

Answer 1

I ran into this issue today and Gaui's answer was quite useful to me, bearing in mind ideally you do not want to open up your server to CORS requests from any site. I'm in my dev environment and my server and client are on different origins since they are on different ports on localhost. Also I'm using .net core 3.0

My issue was caused by my server not sending cookies to my client side as my CORS settings were blocking the sending of cookie to my domain this was evident by the server not using the header Access-Control-Allow-Credentials: true. To resolve this I configured my server in Startup.cs to allow requests from my client side to allow credentials (A credential is a cookie's authorization headers or TLS client certificates).

        var allowedOrigins = new[] {"localhost:3000"}; // Ideally comes from appsettings

        app.UseCors(builder =>
            builder.WithOrigins(allowedOrigins).AllowCredentials().AllowAnyMethod().AllowAnyHeader().Build());

For the cookie options; I found that the you do not have to set Domain if you do not want to, Secure works even when the site is not using https.

Google chrome now supports cookies on localhost, I believe it didn't used to as a lot of older SO posts have users who faced that issue.

On the client side, you need to configure it to accept cookies as well, as in Gaui's answer above. I was using fetch, and so had to add the option:

credentials: 'include'

Which tells fetch to retrieve cookies across domains. See the docs here