Three bugs with CFDUID cookies in wrangler dev mode

I think I’ve found three bugs with CFDUID cookies in wrangler dev mode:

(1) There are two “set-cookie” headers for __CFDUID sent with differing values for each request; I would expect just one “set-cookie” header per request;

(2) The __CFDUID cookies uses the domain of the worker, but in wrangler dev mode requests are served by 127.0.0.1. This causes the browser to reject the cookies as the domain does not match localhost and the cookies are not set;

(3) __CFDUID cookies have “Secure” set. In wrangler dev mode only http is used (not https) so the cookies will not be set;

When working on localhost, the cookie domain must be omitted entirely (not set to null, 127.0.0.1 or any other value).

These three bugs mean any worker which depends on __CFDUID cookies will fail in wrangler dev mode.

Example response headers with domain set to “domain.com”:

content-type: text/html; charset=utf-8
set-cookie: __cfduid=d1b713f8804d59901c7415c0fe657f4e51599255035; expires=Sun, 04-Oct-20 21:30:35 GMT; path=/; domain=.domain.com; HttpOnly; SameSite=Lax; Secure
set-cookie: __cfduid=d2e39c41f3372f60507f81dead235922d1599255035; expires=Sun, 04-Oct-20 21:30:35 GMT; path=/; domain=.domain.com; HttpOnly; SameSite=Lax; Secure
cache-control: max-age=86400, public

Message in Chrome DevTools:

“This set-cookie was blocked because its domain attribute was invalid with regards to the current host url.”

I think it may be best in this case to open up a Github issue about this in the Wrangler repo

1 Like

Ok thanks, have opened https://github.com/cloudflare/wrangler/issues/1547