Why Set-Cookie Fails Even When the Response Looks Correct
A debugging guide for separating browser cookie policy rejections from backend response success when auth cookies appear to vanish after login.
A response can return 200 OK and still fail to establish a working auth session in the browser. That is what makes cookie debugging frustrating: the backend may be convinced the login succeeded while the browser silently rejects, scopes, or withholds the cookie.
The fix is usually not to stare at the success status code longer. It is to review the raw Set-Cookie line, then separate header policy problems from cross-origin transport issues and token-content assumptions.
Inspect token content only after storage behavior is confirmed
When the browser is now storing the cookie but the session still fails, then it makes sense to inspect the token or session payload inside it. At that stage, expiry, issuer, or claim mismatches may explain why auth still breaks.
This ordering matters because a valid JWT inside a rejected cookie is still a broken login flow.
Tools for this section
Set-Cookie Header Inspector
Inspect raw Set-Cookie response headers, surface effective attributes, and flag browser policy issues such as SameSite=None without Secure.
CORS Header Checker
Check whether a browser request will pass CORS based on the request method, custom headers, credentials mode, and the response headers your API returns.
JWT Decoder
Decode and inspect JWT tokens instantly to view headers, payloads, and expiration status locally in your browser.