Join the AI Workshop and learn to build real-world apps with AI. A hands-on, practical program to level up your skills.
A login workflow may work in every browser except Safari.
Safari does not allow setting the Secure attribute on a cookie when the site is served from localhost.
Removing the Secure attribute for localhost fixes the issue.
From MDN:
A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It’s never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can’t access it easily. Insecure sites (with http: in the URL) can’t set cookies with the Secure attribute.
Also from MDN:
Insecure sites (http:) cannot set cookies with the Secure attribute (since Chrome 52 and Firefox 52). The https: requirements are ignored when the Secure attribute is set by localhost (since Chrome 89 and Firefox 75).
It is unclear whether Chrome and Firefox allow this for developer convenience or whether Safari’s stricter behavior is correct; in practice, this is how the browsers differ.