Fix a cookie that will not set
We'll confirm the cookie is not setting, fix SameSite, Secure, domain, and path—or identify when the browser blocks it for security.
What you'll need
- Browser DevTools (Application and Network tabs)
- Access to the server or backend that sets the cookie
Step-by-step diagnostic
Quick triage — pick your path
Get started
Choose the option that matches what you see. You can jump straight to that section.
- Follow this guide Work through the full procedure from confirming the symptom to fixing attributes.
- Confirm the cookie is not setting You need to verify the cookie is missing in DevTools.
- Fix SameSite and Secure Cross-site cookies need SameSite=None; Secure.
- Fix domain and path The cookie may have wrong domain or path.
- When to contact support You have tried the fixes and the cookie still does not set.
Show full guide
Steps
Goal: Confirm the cookie is not setting, fix SameSite, Secure, domain, and path—or identify when the browser blocks it.
- Open DevTools (F12) > Application > Cookies. Select your site. Reproduce the action that should set the cookie.
- Good: The cookie is missing. Check Network for the response with Set-Cookie. Proceed to Fix SameSite and Secure.
- Bad: The cookie appears—the issue may be when it is sent, not when it is set.
Confirm the cookie is not setting
Goal: Verify the cookie is missing in Application and capture the Set-Cookie header.
- In Network, find the response that should set the cookie. Check the Response Headers for Set-Cookie.
- Note the full header: name, value, SameSite, Secure, domain, path.
- Good: You have the header. Proceed to check attributes. Bad: No Set-Cookie—the server is not sending it; fix the backend.
Fix SameSite and Secure
Goal: Ensure SameSite=None and Secure are used correctly for cross-site cookies.
- SameSite=None requires Secure. Add both:
SameSite=None; Secure. - Secure cookies only set over HTTPS. If the site is HTTP, the browser blocks them. Use HTTPS for local development (e.g. localhost with HTTPS or a tunnel).
- For same-site cookies, use SameSite=Lax (default) or Strict. You do not need None unless the cookie is used cross-site.
- Good: Header has SameSite=None; Secure and the site is HTTPS. Bad: Still not setting—check domain and path.
Fix domain and path
Goal: Ensure domain and path match the request.
- Domain must match the request host or be a parent (e.g. .example.com for sub.example.com). Omit domain for exact-host cookies.
- Path must match the request path. Use path=/ for site-wide cookies. If you set path=/api, the cookie is only sent for /api/*.
- Good: Domain and path are correct. The cookie should set. Bad: Still not setting—check size (4KB limit) and third-party blocking.
When to get help
- You have fixed SameSite, Secure, domain, and path and the cookie still does not set. Capture the Set-Cookie header, request URL, and console warnings. Check browser or extension blocking. Contact backend or hosting support.
- The cookie is set but not sent with requests. Verify the path and domain match the request URL.
Verification
- The cookie appears in DevTools > Application > Cookies.
- The cookie has the correct attributes (SameSite, Secure, domain, path).
- The cookie is sent with subsequent requests (check Network > request > Headers > Cookie).
Escalation ladder
Work from the device outward. Stop when the problem is fixed.
- Confirm symptom Check DevTools > Application > Cookies to see if the cookie appears.
- SameSite and Secure SameSite=None requires Secure; use HTTPS for Secure cookies.
- Domain and path Fix domain and path attributes to match the request.
- Size and count Check cookie size (4KB) and per-domain limit.
- Contact support Escalate with Set-Cookie header and request URL.
What to capture if you need help
Before calling support or posting for help, have these ready. It speeds everything up.
- Set-Cookie header from Network response
- Request URL (scheme, host, path)
- Whether the site is HTTP or HTTPS
- Browser and console warnings
- Steps already tried
Does the cookie appear in DevTools > Application > Cookies?
Check Application > Cookies to see if the cookie is set. If not, check Network for the Set-Cookie header.
Open DevTools (F12) > Application > Cookies. Select your site. Reproduce the action that should set the cookie. Good: cookie is missing—proceed to check attributes. Bad: cookie appears—the issue may be when it is sent, not when it is set.
Yes (missing) No (cookie exists)
You can change your answer later.
Is SameSite=None used without Secure?
SameSite=None requires Secure. Both must be set for cross-site cookies.
In Network, find the response with Set-Cookie. Check the header. If you see SameSite=None without Secure, add Secure. If the site is HTTP, Secure cookies will not set—use HTTPS. Good: SameSite=None; Secure and HTTPS. Bad: still not setting—check domain and path.
You can change your answer later.
Add SameSite=None; Secure and use HTTPS
Update the server to send SameSite=None; Secure for cross-site cookies. Ensure the site is served over HTTPS. Restart and retest. Good: cookie sets. Bad: still blocked—check that domain and path match.
Is the domain or path wrong?
Domain must match or be a parent of the host. Path must match the request path. Use path=/ for site-wide.
Check the domain and path in Set-Cookie. Domain must match the request host or be a parent. Omit domain for exact-host. Path must match; use / for site-wide. Good: fixed and cookie sets. Bad: still not setting—check size and third-party blocking.
Cookie may be set but not sent
If the cookie appears in Application, the issue may be when it is sent (e.g. cross-origin, wrong path).
The cookie is set. Check if it is sent with the request: Network > request > Headers > Cookie. If the cookie is not sent, the path or domain may be wrong for the request URL.
Reviewed by Blackbox Atlas
Frequently asked questions
- Why would a cookie not set?
- Common causes: SameSite=None without Secure, Secure on HTTP, wrong domain or path, or the browser blocking third-party cookies. Check the Set-Cookie header and DevTools to see which attribute is wrong.
- What is SameSite and when do I need None?
- SameSite restricts when the cookie is sent. Strict: only same-site requests. Lax: same-site and top-level navigations. None: cross-site (e.g. iframes, cross-origin API calls). SameSite=None requires Secure.
- Can I set a cookie from JavaScript on a different domain?
- No. document.cookie and Set-Cookie only work for the current origin. Cross-site cookies must be set by the server via Set-Cookie in a response to a request from that domain. The server controls the domain attribute.
Rate this guide
Was this helpful?
Thanks for your feedback.