Best IT Recipes

Sending browser cookies during redirect 302

Is there a problem sending a cookie during a 302 redirect? For example, if I create a cookie that returns to url and redirect the user to the same response, will any (modern) browser ignore the cookie?

+67
cookies
Jan 14 '11 at 17:38
source share
6 answers

Most browsers accept cookies on 302 redirects. I was absolutely sure of it, but I searched a little. Not all modern browsers. Internet archive Link from now deleted / dead / microsoft connect Q / A in Silverlight client HTTP stack ignores Set-Cookie in 302 Redirect (2010) responses

I think we now have a replacement for IE6 and Windows Mobile browsers ...

+32
Jan 14 2018-11-21T00:
source share

According to this blog post: http://blog.dubbelboer.com/2012/11/25/302-cookie.html all major browsers, IE (6, 7, 8, 9, 10), FF (17), Safari (6.0.2), Opera (12.11) on both Windows and Mac sets cookies on redirects. This is true for both 301 and 302 redirects.

+44
Nov 13 '13 at 7:47
source share

One notification (to save developer life):

IE and Edge ignore Set-Cookie in the redirect response when the cookie domain is local.

Decision:

Use 127.0.0.1 instead of localhost.

+29
Oct 28 '16 at 11:19
source share

Here is the Chromium error for this problem (Set-cookie is ignored for HTTP response with status 302).

+14
Jun 16 '16 at 17:05
source share

This is a really deprecated approach, but if you really don't want to rely on the 30x behavior of the set-cookie browser, you can use HTML meta http-equiv="refresh" "redirect" when setting the cookie. For example, in PHP:

 <?php ... setcookie("cookie", "value", ...); url="page.php"; ?> <html> <head><meta http-equiv="refresh" content=1;url="<?=$url?>"></head> <body><a href="<?=$url?>">Continue...</a></body> </html>

The server will send a Set-Cookie with 200 instead of the correct 300x redirect, so the browser will save the cookie and then perform a “redirect”. The <a> link is redundant if the browser does not perform a meta update.

+1
Jul 30 '19 at 15:26
source share

In my case, I set CookieOptions.Secure = true, but tested it on http: // localhost . and the browser hides cookies as configured.

To avoid this problem, you can make the cookie Secure parameter compatible with the Request.IsHttps protocol, for example.

 new CookieOptions() { Path = "/", HttpOnly = true, Secure = Request.IsHttps, Expires = expires }
-3
Oct 02 '17 at 12:25
source share


More articles:


All Articles