Contents
Yes. Every request sends the cookies that belong to the same domain. They’re not cached as HTTP is stateless, what means every request must be enough for the server to figure out what to do with it.
Can cross domain access cookies?
There’s no such thing as cross domain cookies. You could share a cookie between foo.example.com and bar.example.com but never between example.com and example2.com and that’s for security reasons. You cannot share cookies across domains. You can however allow all subdomains to have access.
If the server doesn’t allow credentials being sent along, the browser will just not attach cookies and authorization headers. So this could be another reason why the cookies are missing in the POST cross-site request. Solution tip: On your server code, set the appropriate response headers.
How to set cookies for cross site requests?
A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. So if your backend server does not set SameSite=None, Chrome will use SameSite=Lax by default and will not use this cookie with { withCredentials: true } requests.
If the cookies were not sent every request, the server would have no way to know which user is requesting whatever resource. Finally, the browser has no clue if the server needs the cookies or not, it just knows the server instructed it to send the cookie for any request to foo.com, so it does so.
When do you send cookies in SameSite attribute?
The SameSite attribute accepts three values: Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e. when following a link).
A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites ( http:) can’t set cookies with the Secure directive. On older browser versions you might get a warning that the cookie will be blocked in future.