Skip to content

Browser Cookie Not Being Set Fix

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about Browser Cookie Not Being Set Fix. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cookies are set via Set-Cookie HTTP headers or JavaScript. When cookies fail to set, the cause is usually missing SameSite attributes, mismatched domain/path, or the Secure flag being required by the browser.

The Wrong Way

from flask import Flask, make_response

app = Flask(__name__)

@app.route("/login")
def login():
    response = make_response("Logged in")
    # Missing cookie attributes
    response.set_cookie("session_id", "abc123")
    return response

Output in browser:

# Cookie not set in Chrome (SameSite defaults to Lax)
# Cross-site requests get no cookie

The Right Way

Set cookies with all required attributes:

from flask import Flask, make_response
from datetime import datetime, timedelta

app = Flask(__name__)

@app.route("/login")
def login():
    response = make_response("Logged in")

    expires = datetime.utcnow() + timedelta(days=30)
    response.set_cookie(
        key="session_id",
        value="abc123",
        expires=expires,
        httponly=True,
        secure=True,        # HTTPS only
        samesite="Lax",     # Modern SameSite policy
        path="/",           # Available everywhere
        domain="example.com"
    )

    return response

Step-by-Step Fix

curl -I -X POST https://example.com/login \
  -H "Content-Type: application/json" \
  -d '{"user":"test","pass":"test"}' \
  -c cookies.txt

# Look for Set-Cookie header in response

2. Configure SameSite correctly

# For cross-site requests (e.g., embedded in iframe)
response.set_cookie("key", "value", samesite="None", secure=True)

# For same-site requests only
response.set_cookie("key", "value", samesite="Lax")

# Maximum security
response.set_cookie("key", "value", samesite="Strict")

3. Set Secure flag for HTTPS

# Only set secure=True when using HTTPS
# Without this, cookies are not set on HTTPS pages
response.set_cookie("key", "value", secure=True)

4. Match domain and path

# Cookie domain must match or be a parent of the request domain
# This will NOT work on api.example.com
response.set_cookie("key", "value", domain="example.com")

# Use path to restrict to specific sections
response.set_cookie("key", "value", path="/app/")
// Check if cookies are enabled
console.log(navigator.cookieEnabled);
// Returns false if cookies are disabled in browser settings

6. Use JavaScript to set cookies (with same restrictions)

document.cookie = "session_id=abc123; path=/; secure; samesite=Lax";

Prevention Tips

  • Always set Secure flag when serving over HTTPS.
  • Set SameSite explicitly (Lax for most cases, None for third-party).
  • Use __Host- prefix cookies for maximum security.
  • Match cookie domain and path to the request URL.
  • Check navigator.cookieEnabled before relying on cookies.
  1. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  2. Using return to exit a function early instead of wrapping a pure value in the monad
  3. Mixing let bindings with <- bindings in do notation, producing type errors

These mistakes appear frequently in real-world BROWSER code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is SameSite cookie attribute?

SameSite controls whether cookies are sent with cross-site requests. Lax sends cookies for top-level navigations, Strict only for same-site requests, and None sends with all requests (requires Secure).

Incognito/private browsing modes may block third-party cookies or apply stricter SameSite defaults. Check the browser's privacy settings and ensure SameSite=None; Secure for cross-site use.

How do cookies work across subdomains?

A cookie set for example.com is sent to api.example.com and www.example.com. A cookie set for api.example.com is only sent to api.example.com. Use domain=.example.com for cross-subdomain cookies.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro