setcookie.net icon indicating copy to clipboard operation
setcookie.net copied to clipboard
verified publisher icon cmbuckley

Add an option to set cookie in response to an AJAX request

Open ackava opened this issue 1 year ago • 3 comments

This is great tool to test cookies, but in some test cases, browsers or application fail to sync cookies if set via AJAX request. So it would be great if you can add an option to set cookie on page reload or AJAX request and see if it persisted correctly.

ackava avatar Aug 31 '24 09:08 ackava

Hi, thanks for the interest! I'm interested what this feature would offer. In my experience, most issues setting cookies via Ajax are with implementation detail, particularly with cross-origin requests, such as missing Access-Control headers or withCredentials config. What issues have you seen that don't fall into this category?

cmbuckley avatar Sep 08 '24 10:09 cmbuckley

Recently I encountered a bug in a WebView (in Android App), which was synchronizing cookies only after the whole page is refreshed, not when cookie was via an AJAX request. We fixed the bug by manually forcing page refresh after cookie was set, but this was really unusual bug.

Now imagine, if I am testing specific browser or some environment where cookies are set correctly through an AJAX request but not synchronized to disk etc, we will be able to test this with your site.

ackava avatar Sep 12 '24 16:09 ackava

Ah, this reminds me of Safari's Intelligent Tracking Prevention which prevented setting a cookie on a third-party iframe unless that domain had previously been seen as a first-party request. I think third-party cookies shouldn't be covered here, but there could be value in injecting a "Submit with JavaScript" button into the form which submits with XHR. I'm not able to look into this at the moment but would welcome a PR!

cmbuckley avatar Sep 13 '24 08:09 cmbuckley

Thanks for this awesome tool. I would also find this addition helpful. I will look into making a PR with this during holidays 🤞

motiko avatar Dec 18 '24 10:12 motiko

I also discovered issue with Safari. On the project I am working there are 3 domains api.docker.localhost, frontend.docker.localhost, auth.docker.localhost.

when user logs in on auth.docker.localhost user is redirected to frontend with cookie domain=.docker.localhost; HttpOnly; SameSite=Strict to frontend.docker.localhost. And frontend.docker.localhost uses it to send Ajax request to api.docker.localhost.

This is working perfectly on Chrome browser, but I just discovered the issue on Safari. With SameSite=Strict cookies were not accepted on redirection to frontend.docker.localhost from auth.docker.localhost. SameSite=Lax fixed this issue.

But now even with withCredentials the same cookie is not sent to from frontend.docker.localhost to api.docker.localhost when making Ajax requests.

On Safari sending ajax request to the same subdomain (ex: from api.docker.localhost to api.docker.localhost) works when cookie domain is .docker.localhost. But cookies are not sent when sending ajax request to the different subdomain (ex: from frontend.docker.localhost to api.docker.localhost).

I am still researching this issue, it would be useful to have this Ajax request check in this project and also mentioning safari issue.

@motiko thank in advance. Let me know if you can't find time for it. Otherwise, I will work on PR when I find time

nuryagdym avatar Jan 02 '25 13:01 nuryagdym

@nuryagdym it's worth mentioning using .localhost as a TLD can get you into some strange behaviour that you wouldn't see if using a "proper" domain (or faking one via a hosts file). I expect Safari is not treating docker.localhost as a "site" so that's why SameSite=Lax was required.

cmbuckley avatar Jan 02 '25 13:01 cmbuckley

@cmbuckley thanks for the response. I also now tried with docker.local (it should be "proper" domain) domain. Safari still requires SameSite=Lax.

nuryagdym avatar Jan 02 '25 14:01 nuryagdym

Hi, I should have included.local in the above as it’s another special-use domain that can run into problems with cookies. Try any standard TLD like .localhost.com and the behaviour should be more consistent!

cmbuckley avatar Jan 02 '25 14:01 cmbuckley

@cmbuckley you are right, with .com TLD and SameSite=Strict works. Even ajax request to another subdomain works on Safari.

I found a comment on Internet that says he also had the same issue when using .localdev;

nuryagdym avatar Jan 02 '25 15:01 nuryagdym

@nuryagdym I've opened a PR #32 that allows to set a cookie from ajax request. For now just with fetch call. Do you think an addition of XmlHttpRequest would be useful?

motiko avatar Jan 07 '25 07:01 motiko

@cmbuckley I've added a bit of a rationale for adding this on the PR. While I generally agree with you I believe having a tool available that allows checking various scenarios quickly is useful. LMK what you think and thank you for making this tool available.

motiko avatar Jan 07 '25 07:01 motiko

@nuryagdym I've opened a PR #32 that allows to set a cookie from ajax request. For now just with fetch call. Do you think an addition of XmlHttpRequest would be useful?

thanks :), I would say fetch is enough. I don't know if there is a difference in cookie behaviour between these technologies

nuryagdym avatar Jan 07 '25 08:01 nuryagdym