Cookie not being set in Safari
New Courses Coming Soon
Join the waiting lists
I was surprised when a login workflow I implemented worked in all browsers except Safari.
Turns out Safari doesn’t allow setting the secure
property on a cookie on localhost.
So I had to remove this cookie property, and things worked again.
From MDN:
A cookie with the Secure
attribute is only sent to the server with an encrypted request over the HTTPS protocol. It’s never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can’t access it easily. Insecure sites (with http:
in the URL) can’t set cookies with the Secure
attribute.
Also from MDN:
Insecure sites (http:) cannot set cookies with the Secure attribute (since Chrome 52 and Firefox 52). The https: requirements are ignored when the Secure attribute is set by localhost (since Chrome 89 and Firefox 75).
Not sure if this is how things should work and Chrome and Firefox allow this to make our life simpler, or it’s a Safari bug, but that’s how it is.
Here is how can I help you:
- COURSES where I teach everything I know
- CODING BOOTCAMP cohort course - next edition in 2025
- BOOKS 16 coding ebooks you can download for free on JS Python C PHP and lots more
- Follow me on X