Cookie Incident Operational Checklist
Cookie issues recur when handled ad hoc. A single format for triage, permanent remediation, and monitoring keeps operations stable.
When to use this checklist
- Login is not persisted or drops intermittently
- Only OAuth/OIDC return flow loses login
- Behavior changes by subdomain or path
- Session incidents increased after production migration
15-minute triage (first pass)
- 1) Collect all Set-Cookie lines from failed responses with timestamp and URL
- 2) Use Set-Cookie Inspect to diff SameSite/Secure/Domain/Path attributes
- 3) Validate send decision for target URL with Cookie Domain/Path Matcher
- 4) If external navigation exists, reproduce cross-site behavior in SameSite Cookie Simulator
- 5) If name collisions are suspected, detect overlaps with Set-Cookie Conflict Checker
Symptom-to-fastest-route matrix
- Not stored: Set-Cookie Inspect → Cookie Security Audit → Set-Cookie Not Persisted
- Not sent: Domain/Path Matcher → SameSite Simulator → Host/Origin Inspect
- OAuth return failure: start from OAuth Return Cookie Lost scenario
- Intermittent instability: Conflict Checker → Cookie Name Collision Diagnostic
- Oversized header: Cookie Size Checker → Cookie Parser for cleanup
Permanent-fix checklist
- Define cookie naming rules and prohibit/strictly control same-name reuse
- Document canonical Domain/Path policy and enforce it across services
- Explicitly use SameSite=None; Secure for cookies requiring cross-site delivery
- Include legacy-cookie cleanup (Max-Age=0) in migration plans
- Automate regression tests with production-like domains and HTTPS
Operations monitoring checklist
- Monitor 401/403 rate and login success rate daily
- Track Set-Cookie attribute diffs as part of deploy diff monitoring
- Run periodic cross-browser regressions for key cookie scenarios
- Review top cookie-size contributors periodically
Related pages (recommended order)
- Set-Cookie Inspect
- Cookie Domain/Path Matcher
- SameSite Cookie Simulator
- Set-Cookie Conflict Checker
- Cookie Security Audit
- Cookie Size Checker
- Set-Cookie Not Persisted Diagnostic
- OAuth Return Cookie Lost
- Cookie Name Collision Diagnostic
- Cookie Tools Selection
FAQ
- If I can check only one thing first, what should it be?
- Start with factual Set-Cookie attributes. Without that baseline, SameSite/Domain/Path diagnosis is unreliable.
- What most commonly recurs in operations?
- Reintroduction of same-name cookies and legacy-cookie leftovers during migrations. Enforcing naming and cleanup in release workflow prevents recurrence.
Referenced specs
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- How to Diagnose Set-Cookie Not Persisting — Isolate cookie persistence failures by checking Domain/Path/Secure/SameSite in order
- How to Diagnose Lost Login After OAuth Return — Isolate cookie-delivery failures after IdP return across SameSite, Secure, Path/Domain, and collisions
- How to Diagnose Same-Name Cookie Collisions — Resolve unstable behavior by tracing same-name cookie path/domain variants, overwrite order, and send collisions
- How to choose cookie tools — Route Set-Cookie, Domain-Path, SameSite, conflict, and size checks by symptom
- Set-Cookie Inspect — Parse Set-Cookie attributes and review delivery policy
- Cookie Domain/Path Matcher — Evaluate cookie send conditions by Domain/Path/Secure
- SameSite Cookie Simulator — Simulate cookie send behavior from SameSite and request context
- Set-Cookie Conflict Checker — Detect same-name cookie conflicts and overwrite risks
Same-theme links
Scenario Clusters
Operational incident scenarios that route you into the shortest diagnostic path
- Symptom-Based Diagnostic Guide (Start Here) — A central hub that routes cache/CORS/JWT/MIME incidents into shortest symptom-first diagnostic paths
- How to Diagnose Missing 304 Responses — Trace ETag/Last-Modified and If-* round trips to isolate missing 304 behavior
- How to Diagnose Stale Content After Deployment — Check cache policy by HTML/API/static assets to isolate stale deployment issues quickly
- How to Diagnose CORS Preflight Failures — Fix preflight failures by validating OPTIONS responses, Allow-* directives, and origin rules in order
- JWT 401/403 Diagnostic Playbook — Separate 401 and 403 using Authorization, WWW-Authenticate, claims, and signature checks
- How to Diagnose Retry Storms on 429/503 — Isolate Retry-After parsing and client implementation gaps to stop excessive retries
- How to Diagnose JS/CSS Blocks from nosniff Mismatch — Trace Content-Type vs nosniff mismatches, fallback responses, and delivery-layer rewrites
- How to Diagnose Set-Cookie Not Persisting — Isolate cookie persistence failures by checking Domain/Path/Secure/SameSite in order
- How to Diagnose Lost Login After OAuth Return — Isolate cookie-delivery failures after IdP return across SameSite, Secure, Path/Domain, and collisions
- How to Diagnose Same-Name Cookie Collisions — Resolve unstable behavior by tracing same-name cookie path/domain variants, overwrite order, and send collisions