Set-Cookie notes

在chrome測試set cookie時,發現有時候http可以set成功,可是有時候會set失敗

通常set cookie失敗,主要是一些條件不符合,例如有Secure字串,可是不是透過https,或是SameSite=None可是沒有Secure

上面這個例子很單純,Path (cookie作用路徑),HttpOnly不讓js code存取cookie,但是瀏覽器卻報錯: This Set-Cookie was blocked because it was not sent over a secure connection and would have overwritten a cookie with the Secure attribute.

在確認server side送出來的Set-Cookie header的確沒有Secure後,查了一下網路資料

上面提到如果browser同時有該網站的http/https cookie,如果在https cookie中有設定Secure,則該屬性會影響到http的Set-Cookie行為


Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server.

也就是說cookie並未被domain隔離(也就是在同一個網站,http與https的set cookie會干 擾),因此在使用上要格外小心。

This entry was posted in Front-end. Bookmark the permalink.

Leave a Reply