What can cause a cookie not to be set on the client?

After struggling with a similar scenario (no CORS) for hours, I found out another potential reason: be sure to explicitly set the path for the cookie.

My front-end app was making a call to HOST_URL/api/members/login, and this was returning the right Set-Cookie header, with no path.

I could see the cookie under Response Cookies in Chrome DevTools, but subsequent requests were not including it. Went to chrome://settings/cookies, and the cookie was there, but the path was /api/members.

Specifying root path when setting the cookie at server-side fixed the issue.

I think I found the solution. Since during development, my server is at "localhost:30002" and my web app at "localhost:8003", they are considered different hosts regarding CORS. Therefore, all my requests to the server are covered by CORS security rules, especially Requests with credentials. "Credentials" include cookies as noted on that link, so the returned cookie was not accepted because I did not pass

xhrFields: {
  withCredentials: true
}

to jQuery's $.ajax function. I also have to pass that option to subsequent CORS requests in order to send the cookie.

I added the header Access-Control-Allow-Credentials: true on the server side and changed the Access-Control-Allow-Origin header from wildcard to http://localhost:8003 (port number is significant!). That solution now works for me and the cookie gets stored.