Passing cookies in Response.Redirect in ASP.NET
Browsers only send cookies back to pages in the same domain as the page that set the cookie.
So if you go to page http://localhost/login.aspx
and the server then proceeds to set a cookie and redirect to (for instance) http://mymachinename/default.aspx
, the cookie will not be sent from the browser to the server when requesting the second url because its not in the same domain.
To get the cookie back you would either have to redirect to http://localhost/default.aspx
or you would have to start by originally going to http://mymachinename/login.aspx
.
According to HTTP State Management Mechanism
Origin servers MAY send a Set-Cookie response header with any
response. User agents MAY ignore Set-Cookie headers contained in
responses with 100-level status codes but MUST process Set-Cookie
headers contained in other responses (including responses with 400-
and 500-level status codes). An origin server can include multiple
Set-Cookie header fields in a single response. The presence of a
Cookie or a Set-Cookie header field does not preclude HTTP caches
from storing and reusing a response.
So REDIRECTs (3xx) are in the 'other' responses so they should be processed by the browser, which may then drop them for all kinds of reasons. One such cause of the browser rejecting the cookie is when the domain attribute of the cookie is specified and does not have enough dots (like 'localhost') or when the path attribute of the cookie does not case-match the actual path in the URL (cookie's path is case sensitive).