在chrome測試set cookie時,發現有時候http可以set成功,可是有時候會set失敗
通常set cookie失敗,主要是一些條件不符合,例如有Secure字串,可是不是透過https,或是SameSite=None可是沒有Secure
上面這個例子很單純,Path (cookie作用路徑),HttpOnly不讓js code存取cookie,但是瀏覽器卻報錯: This Set-Cookie was blocked because it was not sent over a secure connection and would have overwritten a cookie with the Secure attribute.
在確認server side送出來的Set-Cookie header的確沒有Secure後,查了一下網路資料
https://www.petefreitag.com/item/857.cfm
上面提到如果browser同時有該網站的http/https cookie,如果在https cookie中有設定Secure,則該屬性會影響到http的Set-Cookie行為
另外參考 https://tools.ietf.org/html/rfc6265#section-8.5
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server.
也就是說cookie並未被domain隔離(也就是在同一個網站,http與https的set cookie會干 擾),因此在使用上要格外小心。