Cookie is not set in Chromium, but works perfectly in Firefox

[savchenko]

I am testing a Flask app running locally. The front page is protected by Flask-Security.

If I open http://localhost:5000/user/login?next=/ in a fresh session, in Firefox v128 I observe the cookie being correctly set:

While in the Chromium v135 the cookie list is empty. I have verified that "3rd-party cookies" and other privacy hardening options are disabled.

After submitting the form, in Chromium I receive the error:

{
  "description": "The CSRF session token is missing.",
  "error": 400
}

The POST request appears to be correct:

Relevant Flask settings:

SESSION_COOKIE_NAME                       __Host-keypuncher
SESSION_COOKIE_DOMAIN                     False
SESSION_COOKIE_PATH                       None
SESSION_COOKIE_HTTPONLY                   True
SESSION_COOKIE_SECURE                     True
SESSION_COOKIE_PARTITIONED                False
SESSION_COOKIE_SAMESITE                   strict
SESSION_REFRESH_EACH_REQUEST              True
MAX_COOKIE_SIZE                           4093
REMEMBER_COOKIE_SAMESITE                  strict
SECURITY_CSRF_COOKIE_NAME                 None
SECURITY_CSRF_COOKIE                      {'samesite': 'Strict', 'httponly': False, 'secure': False}
SECURITY_CSRF_COOKIE_REFRESH_EACH_REQUEST False

Any ideas as to what is going on here? Why does it work correctly only in Firefox?

[jwag956]

Interesting - the first thing I would double check is that in fact you are properly authenticating - since you are using forms - look VERY carefully at the response form to see if there are any errors (even CSRF errors should show up in the form).
If you are running under and IDE - try setting a breakpoint at login_user() in flask-security and see if that fires.

[savchenko]

I have double-checked the form and it does appear to be correct. Added the *cookie* settings to the original post, might be relevant?

[savchenko]

__Host prefix to blame. Live and learn.