I simply cannot make a 302 redirect send a cookie.

I have a 302 request at https://mysite-api.azurewebsites.net/api/123456 which responds with:

     {
        status: 302,
        headers: {
          "Access-Control-Allow-Credentials": true,
          "Set-Cookie": `testcookie3=abcd; Max-Age=2592000; SameSite=Lax; Secure; Path=/;`,
          Location: `www.mysite.com`,
        },
        body: "Redirecting..."
      }

I'm calling it with from my local machine, just as a html file in chrome/firefox:

<html>
  <body>
    <form
      action="https://mysite-api.azurewebsites.net/api/123456/redirect"
      method="post"
    >
      <label for="token">Token:</label>
      <input type="text" id="token" name="token" /><br /><br />
      <button type="submit">Submit this tab</button>
    </form>
  </body>
</html>

I can see it call the redirect request, I can see the reponse cookie is set.

However, it's not stored, and on the actual redirect it's immediately removed.

The test page simply displays Cookie: |{document.cookie}| and it's blank, no cookies are received by the redirect site.

CodePudding user response：

It seems that when doing a redirect you simply must have the UI and API on the same domain.

Since this was the case in production, I had to ensure my development environment is also hosted on the same domain, and then the cookie:

Token=ABCDE; Max-Age=2592000; Path=/; Domain=subdomain.mysite.dev; HttpOnly; Secure;

Worked, for the UI at subdomain.mysite.dev and api at api.subdomain.mysite.dev.