A browser does not send a cookie

Diagnose cookie storage and request selection separately from CORS response access.

  • cookies
  • browsers
  • diagnostics

Diagnostic overview

Symptoms

  • A Set-Cookie response was observed but a later request has no matching Cookie pair.
  • The cookie is sent on one path or navigation but not another Fetch request.

Likely layers

client, origin, protocol

Common causes

  • The browser rejected storage because attributes or policy were incompatible.
  • Host, Domain, Path, Secure, expiry, or SameSite selection excludes the request.
  • Fetch credential mode or browser privacy controls withhold credentials.

Diagnostic steps

  1. Confirm the browser stored the cookie and record its effective attributes.

    Look for: A rejected Set-Cookie is a storage issue, not a later sending issue.

  2. Compare request scheme, host, path, site context, and time with the attributes.

    Look for: The first non-matching scope rule explains ordinary selection failure.

  3. Check Fetch credential mode and current supported-browser privacy behavior.

    Look for: Context policy can withhold an otherwise matching stored cookie.

Targeted fixes

  • Use the narrowest Domain and Path that match the intended requests.
  • Set Secure, SameSite, lifetime, and credential mode as one tested browser contract.
  • Keep CORS sharing policy and cookie scope separate while verifying both.

First confirm storage

Inspect the browser’s cookie storage record and any rejection reason on the Set-Cookie response.

Set-Cookie: session=opaque; Path=/app; Secure; HttpOnly; SameSite=Lax

Expected result: a supporting browser can store a host-only cookie for secure requests under /app, subject to current policy. A later /api request does not path-match this cookie.

Apply selection rules in order

Compare expiry, secure channel, host/Domain, Path, and same-site context. Then check the request’s credentials mode and browser privacy settings. Changing every attribute at once removes the evidence of which boundary failed.

Keep CORS separate

A cookie can be sent even when CORS prevents script from reading the response, and CORS success does not force a cookie to be sent. Verify the network request’s Cookie field and the response-sharing decision independently.

Primary sources