CD
Cloudflare Developers3mo ago
razor

Set-Cookie not working over Tunnels

I have frontend at frontend.example.com and backend at backend.example.com the backend sends Set-Cookie Header but it not being set in the browser on the client token=cookie; Path=/; HttpOnly; Secure; SameSite=NoneRequest 
    // Set the JWT as an HttpOnly cookie
    http.SetCookie(w, &http.Cookie{
        Name:     "token",
        Value:    jwtToken,
        Path:     "/",
        HttpOnly: true,
        Secure:   true,
        SameSite: http.SameSiteNoneMode,
    })
    // Set the JWT as an HttpOnly cookie
    http.SetCookie(w, &http.Cookie{
        Name:     "token",
        Value:    jwtToken,
        Path:     "/",
        HttpOnly: true,
        Secure:   true,
        SameSite: http.SameSiteNoneMode,
    })
this the my go backend code both are over https over cloudflare tunnels
1 Reply
SuperHelpflare
SuperHelpflare3mo ago
Support AI
According to the Cloudflare documentation on HTTP headers, the Set-Cookie header is not folded into a single header when multiple values are present, as per RFC 6265. However, in your case, it seems like the issue is not with the folding of multiple Set-Cookie headers, but rather with the fact that the cookie is not being set in the browser. One possible reason for this is that the SameSite=None attribute is being used, which requires the Secure attribute to be present as well. However, since you are already setting the Secure attribute, this is unlikely to be the cause. Another possible reason is that the cookie is being blocked by the browser due to the SameSite=None attribute. Some browsers have started to block cookies with this attribute by default, as a security measure. To troubleshoot this issue, you can try checking the browser's console for any errors related to cookie blocking. You can also try setting the SameSite attribute to Lax or Strict to see if that resolves the issue. Additionally, you can try using the Headers API to set the Set-Cookie header, as described in the Cloudflare documentation on Headers. This may help to ensure that the header is being set correctly. Here is an example of how you can use the Headers API to set the Set-Cookie header: 
headers := w.Header()
headers.Set("Set-Cookie", "token="+jwtToken+"; Path=/; HttpOnly; Secure; SameSite=None")
headers := w.Header()
headers.Set("Set-Cookie", "token="+jwtToken+"; Path=/; HttpOnly; Secure; SameSite=None")
Please note that this is just a suggestion, and you should consult the Cloudflare documentation and the Go documentation for more information on how to set cookies correctly.
Sources
* Headers - Cloudflare Workers docs
Feedback
Feedback has been submitted! Thank you :)
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.

Did you find this page helpful?