I am setting a header with php’s setcookie like:
setcookie('xxx', 'xxx', ['path'=>'/', 'samesite'=>'Strict', 'secure'=>1, 'httponly'=>1]);
In their developer tool, both Chrome and Edge show:
xxx=xxx; path=/; secure; HttpOnly; SameSite=Strict
with an orange triangle which states:
‘This Set-Cookie header had a invalid syntax.’ when hovered over.
There are no errors or warnings shown under the Issues tab, whereas leaving out any of the values shown above did.
FireFox has no problem and it sends it back with the next request.
Why is it so?
P.S.: It is running in https on a web-facing server. All latest browser versions.
For comparison, this is from a Samsung site, and it’s ok:
JSESSIONID=371E1F0AFB88D3FBF0A1DF4B99432193; Path=/; Secure; HttpOnly
2
Answers
Mea culpa!
There had to be a simple answer, and that was that another setting was preventing the cookie being used.
I had a
Clear-Site-Dataheader that included "cookies". Removing "cookies' from that header meant the cookie became usable.What was problematic was that Chrome and Edge gave misleading indicators, since the problem was not about invalid syntax at all.
FireFox seemed to have ignored the header altogether. Of course, there may some subtleties around when the cookies are deleted.
If anything, the browser developer tools could have listed a warning item that stated that the cookie was deleted due to the
Clear-Site-Dataheader, since creating a cookie only to have it deleted before it could be used is likely to be a mistake or oversight.This issue is now solved.
From Wikipedia:
Perhaps you are running an older version of FireFox? Edge and Chrome are warning you that according to their stricter rules there is a contradiction between
secureandHttpOnly.