A browser does not send a cookie
Diagnose cookie storage and request selection separately from CORS response access.
- cookies
- browsers
- diagnostics
Diagnostic overview
Symptoms
- A Set-Cookie response was observed but a later request has no matching Cookie pair.
- The cookie is sent on one path or navigation but not another Fetch request.
Likely layers
client, origin, protocol
Common causes
- The browser rejected storage because attributes or policy were incompatible.
- Host, Domain, Path, Secure, expiry, or SameSite selection excludes the request.
- Fetch credential mode or browser privacy controls withhold credentials.
Diagnostic steps
Confirm the browser stored the cookie and record its effective attributes.
Look for: A rejected Set-Cookie is a storage issue, not a later sending issue.
Compare request scheme, host, path, site context, and time with the attributes.
Look for: The first non-matching scope rule explains ordinary selection failure.
Check Fetch credential mode and current supported-browser privacy behavior.
Look for: Context policy can withhold an otherwise matching stored cookie.
Targeted fixes
- Use the narrowest Domain and Path that match the intended requests.
- Set Secure, SameSite, lifetime, and credential mode as one tested browser contract.
- Keep CORS sharing policy and cookie scope separate while verifying both.
First confirm storage
Inspect the browser’s cookie storage record and any rejection reason on the Set-Cookie response.
Set-Cookie: session=opaque; Path=/app; Secure; HttpOnly; SameSite=Lax
Expected result: a supporting browser can store a host-only cookie for secure
requests under /app, subject to current policy. A later /api request does not
path-match this cookie.
Apply selection rules in order
Compare expiry, secure channel, host/Domain, Path, and same-site context. Then check the request’s credentials mode and browser privacy settings. Changing every attribute at once removes the evidence of which boundary failed.
Keep CORS separate
A cookie can be sent even when CORS prevents script from reading the response, and CORS success does not force a cookie to be sent. Verify the network request’s Cookie field and the response-sharing decision independently.
Primary sources
- RFC 6265 — HTTP State Management Mechanism (rfc)
- Current HTTP Working Group cookie specification draft (primary documentation)
