Cookies on localhost with explicit domain

Question

I must be missing some basic thing about cookies  On localhost  when I set a cookie on server side and specify the domain explicitly as localhost  or  localhost   the cookie does not seem to be accepted by some browsers   Firefox 3 5  I checked the HTTP request in Firebug  What I see is   Set-Cookie      name value      domain localhost      expires Thu  16-Jul-2009 21 25 05 GMT      path     or  when I set the domain to  localhost    Set-Cookie      name value      domain  localhost      expires Thu  16-Jul-2009 21 25 05 GMT      path     In either case  the cookie is not stored   IE8  I did not use any extra tool  but the cookie does not seem to be stored as well  because it   s not being sent back in subsequent requests   Opera 9 64  Both localhost and  localhost work  but when I check the list of cookies in Preferences  the domain is set to localhost local even though it   s listed under localhost  in the list grouping    Safari 4  Both localhost and  localhost work  but they are always listed as  localhost in Preferences  On the other hand  a cookie without an explicit domain  it being shown as just localhost  no dot    What is the problem with localhost  Because of such a number of inconsistencies  there must be some special rules involving localhost  Also  it   s not completely clear to me why domains must be prefixed by a dot  RFC 2109 explicitly states that       The value for the Domain attribute   contains no embedded dots or does not   start with a dot    Why  The document indicates that it has to do something with security  I have to admit that I have not read the entire specification  may do it later   but it sounds a bit strange  Based on this  setting cookies on localhost would be impossible

User · Answer

Results I had varied by browser    Chrome- 127 0 0 1 worked but localhost  localhost and    did not  Firefox-  localhost worked but localhost  127 0 0 1  and    did not   Have not tested in Opera  IE  or Safari

User · Answer

By design  domain names must have at least two dots  otherwise the browser will consider them invalid   See reference on http   curl haxx se rfc cookie spec html  When working on localhost  the cookie domain must be omitted entirely  You should not set it  to  quot  quot  or NULL or FALSE instead of  quot localhost quot   It is not enough  For PHP  see comments on http   php net manual en function setcookie php 73107  If working with the Java Servlet API  don t call the cookie setDomain  quot     quot   method at all

User · Answer

I was playing around a bit    Set-Cookie   xsrf 2 f1313120 17df429d33515874d3e571d1c5ee2677 1485812120  Domain localhost  Path     works in Firefox and Chrome as of today  However  I did not find a way to make it work with curl  I tried Host-Header and --resolve  no luck  any help appreciated   However  it works in curl  if I set it to  Set-Cookie   xsrf 2 f1313120 17df429d33515874d3e571d1c5ee2677 1485812120  Domain 127 0 0 1  Path     instead   Which does not work with Firefox

User · Answer

There is an issue on Chromium open since 2011  that if you are explicitly setting the domain as  localhost   you should set it as false or undefined

User · Answer

Spent a great deal of time troubleshooting this issue myself   Using PHP  and Nothing on this page worked for me  I eventually realized in my code that the  secure  parameter to PHP s session set cookie params   was always being set to TRUE    Since I wasn t visiting localhost with https my browser would never accept the cookie  So  I modified that portion of my code to conditionally set the  secure  param based on   SERVER  HTTP HOST   being  localhost  or not  Working well now   I hope this helps someone

User · Answer

Another important detail  the expires  should use the following date time format  Wdy  DD-Mon-YYYY HH MM SS GMT  RFC6265 - Section 4 1 1    Set-Cookie    name value    domain localhost    expires Thu  16-07-2019 21 25 05 GMT    path

User · Answer

There seems to be an issue when you use https    lt local-domain gt  and then http    lt local-domain gt   The http    site does not send cookies with requests after https    site sets them  Force reload and clear cache doesn t help  Only manual clearing of cookies works  Also  if I clear them on the https    page  then http    page starts working again   Looks to be related to  Strict secure cookies   Good explanation here  It was released in Chrome 58 on 2017-04-19   It looks like Chrome does in fact record both secure cookies and non-secure cookies as it will show the correct cookies depending on the page s protocol when clicking the address bar icon   But Developer tools  gt  Application  gt  Cookies will not show a non-secure cookie when there is a secure cookie of the same name for the same domain  nor will it send the non-secure cookie with any requests  This seems like a Chrome bug  or if this behavior is expected  there should be some way to view the secure cookies when on a http page and an indication that they are being overridden   Workaround is to use different named cookies depending on if they are for an http site or https site  and to name them specific to your app  A   Secure- prefix indicates that the cookie should be strictly secure  and is also a good practice because secure and non-secure won t collide  There are other benefits to prefixes too   Using different  etc hosts domains for https vs  http access would work too  but one accidental https   localhost visit will prevent any cookies of the same names to work on http   localhost sites - so this is not a good workaround   I have filed a Chrome bug report

User · Answer

I had the same issue and I fixed it by putting 2 dots in the cookie name itself without specifying any domain   set-cookie  name s1 s2 value  path    expires Sun  12 Aug 2018 14 28 43 GMT  HttpOnly

User · Answer

Tried all of the options above  What worked for me was   Make sure the request to server have withCredentials set to true  XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request  Do not set Domain Set Path    Resulting Set-Cookie header  Set-Cookie  session token 74528588-7c48-4546-a3ae-4326e22449e5  Expires Sun  16 Aug 2020 04 40 42 GMT  Path

User · Answer

When a cookie is set with an explicit domain of  localhost  as follows        Set-Cookie  name value    domain localhost  expires Thu  16-Jul-2009 21 25 05 GMT  path        then browsers ignore it because it does not include at least two periods and is not one of seven specially handled  top level domains          domains must have at least two  2  or three  3  periods in them to   prevent domains of the form    com     edu   and  va us   Any domain   that fails within one of the seven special top level domains listed   below only require two periods  Any other domain requires at least   three  The seven special top level domains are   COM    EDU    NET      ORG    GOV    MIL   and  INT     Note that the number of periods above probably assumes that a leading period is required  This period is however ignored in modern browsers and it should probably read        at least one  1  or two  2  periods   Note that the default value for the domain attribute is the host name of the server which generated the cookie response   So a workaround for cookies not being set for localhost is to simply not specify a domain attribute and let the browser use the default value - this does not appear to have the same constraints that an explicit value in the domain attribute does

User · Answer

I broadly agree with  Ralph Buchfelder  but here s some amplification of this  by experiment when trying to replicate a system with several subdomains  such as example com  fr example com  de example com  on my local machine  OS X   Apache   Chrome Firefox    I ve edited  etc hosts to point some imaginary subdomains at 127 0 0 1   127 0 0 1 localexample com 127 0 0 1 fr localexample com 127 0 0 1 de localexample com   If I am working on fr localexample com and I leave the domain parameter out  the cookie is stored correctly for fr localexample com  but is not visible in the other subdomains   If I use a domain of   localexample com   the cookie is stored correctly for fr localexample com  and is visible in other subdomains   If I use a domain of  localexample com   or when I was trying a domain of just  localexample  or  localhost   the cookie was not getting stored   If I use a domain of  fr localexample com  or   fr localexample com   the cookie is stored correctly for fr localexample com and is  correctly  invisible in other subdomains   So the requirement that you need at least two dots in the domain appears to be correct  even though I can t see why it should be   If anyone wants to try this out  here s some useful code    lt html gt   lt head gt   lt title gt  Testing cookies  lt  title gt   lt  head gt   lt body gt   lt  php header  HTTP 1 0 200     domain    fr localexample com         Change this to the domain you want to test  if   empty   GET  v            val     GET  v        print  Setting cookie to  val lt br  gt        setcookie  mycookie    val  time     48   3600        domain     print   lt pre gt    print  Cookie  lt br  gt    var dump   COOKIE   print  Server  lt br  gt    var dump   SERVER   print   lt  pre gt      gt   lt  body gt   lt  html gt

User · Answer

After much experimentation and reading various posts  this worked   I could set multiple cookies  read them back and set the time negative and delete them   func addCookie w http ResponseWriter  name string  value string        expire    time Now   AddDate 0  0  1      cookie    http Cookie         Name     name         Value    value         Expires  expire         Domain     localhost          Path                    http SetCookie w   amp cookie

User · Answer

Cookie needs to specify SameSite attribute  None value used to be the default  but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery  CSRF  attacks  Along with SameSite Lax you should also have Domain localhost  so your cookie will be associated to localhost and kept  It should look something like this  document cookie      name    value   expires   Path    Domain localhost  SameSite Lax    https   developer mozilla org en-US docs Web HTTP Headers Set-Cookie SameSite

User · Answer

None of the answers here worked for me   I fixed it by putting my PHP as the very very first thing in the page   Like other headers  cookies must be sent before any output from your script  this is a protocol restriction   This requires that you place calls to this function prior to any output  including  and  tags as well as any whitespace   From http   php net manual en function setcookie php

User · Answer

The only thing that worked for me was to set Path   on the cookie   Moreover  the default value of a path attribute seems to be different from browsers to browsers although I tested only two of them  Firefox and Chrome    Chrome tries to set a cookie as is  if path attribute is omitted in Set-Cookie header then it will not be stored and ignored   However  Firefox stores a cookie even without an explicit path attribute  It just set it with the requested path  my request url was  api v1 users and the path was set to  api v1 automatically   Anyway  both browsers worked when path was set to   even without an explicit domain  ie Domain localhost or something  So there are some differences in the way how each browser handles cookies

User · Answer

document cookie   valuename         value          expires     domain  path      this  domain  path     will take dynamic domain as its cookie will work in subdomain  if u want to test in localhost it will work

User · Answer

I had much better luck testing locally using 127 0 0 1 as the domain   I m not sure why  but I had mixed results with localhost and  localhost  etc

User · Answer

you can make use of localhost org or rather  localhost org it will always resolve to 127 0 0 1

User · Answer

If you re setting a cookie from another domain  ie you set the cookie by making an XHR cross origin request   then you need to make sure you set the withCredentials attribute to true on the XMLHttpRequest you use to fetch the cookie as described here

User · Answer

None of the suggested fixes worked for me - setting it to null  false  adding two dots  etc - didn t work    In the end  I just removed the domain from the cookie if it is localhost and that now works for me in Chrome 38   Previous code  did not work    document cookie   encodeURI key          encodeURI value      domain      document domain     path        New code  now working     if document domain      localhost             document cookie   encodeURI key          encodeURI value      path             else           document cookie   encodeURI key          encodeURI value      domain      document domain     path

User · Answer

localhost  You can use  domain    app localhost  and it will work  The  domain  parameter needs 1 or more dots in the domain name for setting cookies  Then you can have sessions working across localhost subdomains such as  api app localhost 3000

[cookies] Cookies on localhost with explicit domain

Examples related to cookies

Examples related to setcookie