[GH-ISSUE #3532] [bug]: set-cookie in response headers not working #1205

New issue

Open

opened 2026-03-16 19:11:33 +03:00 by kerem · 39 comments

kerem commented 2026-03-16 19:11:33 +03:00

Owner

Copy link

Originally created by @xshadowlegendx on GitHub (Nov 10, 2023).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/3532

Originally assigned to: @CuriousCorrelation on GitHub.

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

I use hoppscotch cloud with proxy interceptor to call to my backend server and for login endpoint, the server return refresh and fingerprint httponly cookies and after successful login hoppscotch only shows 1 set cookie response, the issue is same as this one and also subsequent request did not send the cookie as well, I tried testing this with postman from the web, and did not configure anything I can call login endpoint and the response show both cookies and also subsequent request will also send those cookies along

Steps to reproduce

you can try this endpoint of my test server on both hoppscotch and postman, postman will just works while hoppscotch did not correctly fold those multiple cookies and did not send them with subsequent request as well

POST https://identity.lsa.xdevx.dedyn.io/authn/password/login

user_id = 7131aa28-ca21-4ff7-8273-5e16ab304e25
password = 13db2588XyZ

content-type = application/x-www-form-urlencoded

Environment

Production

Version

Cloud

Originally created by @xshadowlegendx on GitHub (Nov 10, 2023). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/3532 Originally assigned to: @CuriousCorrelation on GitHub. ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current behavior I use hoppscotch cloud with proxy interceptor to call to my backend server and for login endpoint, the server return refresh and fingerprint httponly cookies and after successful login hoppscotch only shows 1 set cookie response, the issue is same as [this one](https://github.com/hoppscotch/hoppscotch/issues/1546) and also subsequent request did not send the cookie as well, I tried testing this with postman from the web, and did not configure anything I can call login endpoint and the response show both cookies and also subsequent request will also send those cookies along ### Steps to reproduce you can try this endpoint of my test server on both hoppscotch and postman, postman will just works while hoppscotch did not correctly fold those multiple cookies and did not send them with subsequent request as well ``` POST https://identity.lsa.xdevx.dedyn.io/authn/password/login user_id = 7131aa28-ca21-4ff7-8273-5e16ab304e25 password = 13db2588XyZ content-type = application/x-www-form-urlencoded ``` ### Environment Production ### Version Cloud

kerem added the

bug

need testing

desktop

labels 2026-03-16 19:11:33 +03:00

kerem commented 2026-03-16 19:11:45 +03:00

Author

Owner

Copy link

@liyasthomas commented on GitHub (Nov 10, 2023):

Cookie capturing is not available in the Hoppscotch web app.

Download Hoppscotch Desktop App to manage Cookies.

<!-- gh-comment-id:1805148670 --> @liyasthomas commented on GitHub (Nov 10, 2023): Cookie capturing is not available in the Hoppscotch web app. [Download Hoppscotch Desktop App](https://hoppscotch.com/download) to manage Cookies.

kerem commented 2026-03-16 19:11:50 +03:00

Author

Owner

Copy link

@xshadowlegendx commented on GitHub (Nov 10, 2023):

hello @liyasthomas I also tried the desktop app one also same behavior

<!-- gh-comment-id:1805322158 --> @xshadowlegendx commented on GitHub (Nov 10, 2023): hello @liyasthomas I also tried the desktop app one also same behavior

kerem commented 2026-03-16 19:11:55 +03:00

Author

Owner

Copy link

@liyasthomas commented on GitHub (Nov 10, 2023):

Sorry for the inconvenience, as of today, you've to manually add the cookie string to the domain. You can follow the instructions in the cookies documentation to manually add cookies.

The ability to auto magically set-cookies from response headers is coming soon in Hoppscotch Desktop App. Thank you for your patience. Keeping this issue ticket open to track feature progress.

<!-- gh-comment-id:1805338334 --> @liyasthomas commented on GitHub (Nov 10, 2023): Sorry for the inconvenience, as of today, you've to manually add the cookie string to the domain. You can follow the instructions in the [cookies documentation](https://docs.hoppscotch.io/documentation/features/cookies) to manually add cookies. The ability to auto magically set-cookies from response headers is coming soon in Hoppscotch Desktop App. Thank you for your patience. Keeping this issue ticket open to track feature progress.

kerem commented 2026-03-16 19:12:00 +03:00

Author

Owner

Copy link

@felipebontempo commented on GitHub (Mar 7, 2024):

Sorry for the inconvenience, but maybe my problem is exactly this:

Below are two images, one is how Postman returns and how hoppscotch returns.

The problem is that hoppscotch is missing a "Set-cookie", there should be two, and they are exactly the same call in both tools.

What will be the problem?

I'm sending it here precisely because I think it's a problem with the tool, correct me if I'm wrong.

<!-- gh-comment-id:1983491480 --> @felipebontempo commented on GitHub (Mar 7, 2024): Sorry for the inconvenience, but maybe my problem is exactly this: Below are two images, one is how Postman returns and how hoppscotch returns. The problem is that hoppscotch is missing a "Set-cookie", there should be two, and they are exactly the same call in both tools. What will be the problem? I'm sending it here precisely because I think it's a problem with the tool, correct me if I'm wrong.  

kerem commented 2026-03-16 19:12:05 +03:00

Author

Owner

Copy link

@felipebontempo commented on GitHub (Mar 8, 2024):

I just tested it on the Bruno API, both values come in the "set-cookie" variable, I believe there is a data cut in Hoppscoth

<!-- gh-comment-id:1985744643 --> @felipebontempo commented on GitHub (Mar 8, 2024): I just tested it on the Bruno API, both values come in the "set-cookie" variable, I believe there is a data cut in Hoppscoth

kerem commented 2026-03-16 19:12:10 +03:00

Author

Owner

Copy link

@DarkDonnerGunther commented on GitHub (Aug 22, 2024):

Is here any update? I need to save cookies automatically to use them as request.

<!-- gh-comment-id:2304463231 --> @DarkDonnerGunther commented on GitHub (Aug 22, 2024): Is here any update? I need to save cookies automatically to use them as request.

kerem commented 2026-03-16 19:12:15 +03:00

Author

Owner

Copy link

@CIenthusiast commented on GitHub (Aug 27, 2024):

How is this not fixed already. This is a must-have basic for any api tool.
I get that you could technically disable security for your local development or you could just copy it manually to your cookie-store. Who tf does that?

<!-- gh-comment-id:2312519643 --> @CIenthusiast commented on GitHub (Aug 27, 2024): How is this not fixed already. This is a must-have basic for any api tool. I get that you could technically disable security for your local development or you could just copy it manually to your cookie-store. Who tf does that?

kerem commented 2026-03-16 19:12:20 +03:00

Author

Owner

Copy link

@Paper-Folding commented on GitHub (Aug 27, 2024):

I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using hoppscotch's "test" tab, and use env value in cookie header with accessToken=<<accessToken>>;refreshToken=<<refreshToken>> (I'm using jwt authentication).
My simple test script to do that:

const tokens = pw.response.headers
  .filter((ele) => ele.key === "Set-Cookie")
  .map((ele) => ele.value.split(";")[0].split("="));
pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]);
pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1])

The shortcoming is, you have to add this cookie header for each subsequent authentication required requests.

<!-- gh-comment-id:2312533350 --> @Paper-Folding commented on GitHub (Aug 27, 2024): I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using hoppscotch's "test" tab, and use env value in cookie header with `accessToken=<<accessToken>>;refreshToken=<<refreshToken>>` (I'm using jwt authentication). My simple test script to do that: ```js const tokens = pw.response.headers .filter((ele) => ele.key === "Set-Cookie") .map((ele) => ele.value.split(";")[0].split("=")); pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]); pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1]) ``` The shortcoming is, you have to add this cookie header for each subsequent authentication required requests.

kerem commented 2026-03-16 19:12:25 +03:00

Author

Owner

Copy link

@CIenthusiast commented on GitHub (Aug 27, 2024):

I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using "test", and use env value in cookier header with accessToken=<<accessToken>>;refreshToken=<<refreshToken>> (I'm using jwt authentication). My simple test script to do that:

const tokens = pw.response.headers
  .filter((ele) => ele.key === "set-cookie")
  .map((ele) => ele.value.split(";")[0].split("="));
pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]);
pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1])

The shortcoming is, you have to set the cookie header for each subsequent authentication required requests.

Nice job. I already looked into the Pre-Request scripts to automate it myself. Just saying that if Hoppscotch wants to be the Postman-Killer it needs this badly. My team wanted to switch due to the problematic privacypolicy of Postman and this is in our way.

<!-- gh-comment-id:2312565232 --> @CIenthusiast commented on GitHub (Aug 27, 2024): > I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using "test", and use env value in cookier header with `accessToken=<<accessToken>>;refreshToken=<<refreshToken>>` (I'm using jwt authentication). My simple test script to do that: > > ```js > const tokens = pw.response.headers > .filter((ele) => ele.key === "set-cookie") > .map((ele) => ele.value.split(";")[0].split("=")); > pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]); > pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1]) > ``` > > The shortcoming is, you have to set the cookie header for each subsequent authentication required requests. Nice job. I already looked into the Pre-Request scripts to automate it myself. Just saying that if Hoppscotch wants to be the Postman-Killer it needs this badly. My team wanted to switch due to the problematic privacypolicy of Postman and this is in our way.

kerem commented 2026-03-16 19:12:30 +03:00

Author

Owner

Copy link

@devNull2and1 commented on GitHub (Aug 27, 2024):

I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using "test", and use env value in cookier header with accessToken=<<accessToken>>;refreshToken=<<refreshToken>> (I'm using jwt authentication). My simple test script to do that:

const tokens = pw.response.headers
  .filter((ele) => ele.key === "set-cookie")
  .map((ele) => ele.value.split(";")[0].split("="));
pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]);
pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1])

The shortcoming is, you have to set the cookie header for each subsequent authentication required requests.

Nice job. I already looked into the Pre-Request scripts to automate it myself. Just saying that if Hoppscotch wants to be the Postman-Killer it needs this badly. My team wanted to switch due to the problematic privacypolicy of Postman and this is in our way.

Dude, wanted to say the same.

<!-- gh-comment-id:2312580969 --> @devNull2and1 commented on GitHub (Aug 27, 2024): > > I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using "test", and use env value in cookier header with `accessToken=<<accessToken>>;refreshToken=<<refreshToken>>` (I'm using jwt authentication). My simple test script to do that: > > ```js > > const tokens = pw.response.headers > > .filter((ele) => ele.key === "set-cookie") > > .map((ele) => ele.value.split(";")[0].split("=")); > > pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]); > > pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1]) > > ``` > > > > > > > > > > > > > > > > > > > > > > > > The shortcoming is, you have to set the cookie header for each subsequent authentication required requests. > > Nice job. I already looked into the Pre-Request scripts to automate it myself. Just saying that if Hoppscotch wants to be the Postman-Killer it needs this badly. My team wanted to switch due to the problematic privacypolicy of Postman and this is in our way. Dude, wanted to say the same.

kerem commented 2026-03-16 19:12:35 +03:00

Author

Owner

Copy link

@Paper-Folding commented on GitHub (Aug 27, 2024):

And since Hoppscotch is written in electron, and "test" block is written in js, you can use console.log in test block, and values will show in Hoppscotch's dev tool, for deugging purpose.

<!-- gh-comment-id:2312614736 --> @Paper-Folding commented on GitHub (Aug 27, 2024): And since Hoppscotch is written in electron, and "test" block is written in js, you can use `console.log` in test block, and values will show in Hoppscotch's dev tool, for deugging purpose.

kerem commented 2026-03-16 19:12:41 +03:00

Author

Owner

Copy link

@wicol commented on GitHub (Oct 14, 2024):

And since Hoppscotch is written in electron, and "test" block is written in js, you can use console.log in test block, and values will show in Hoppscotch's dev tool, for deugging purpose.

I can't find anything called dev tool. How do I look at console output from the test script when using the desktop app?

<!-- gh-comment-id:2410530958 --> @wicol commented on GitHub (Oct 14, 2024): > And since Hoppscotch is written in electron, and "test" block is written in js, you can use `console.log` in test block, and values will show in Hoppscotch's dev tool, for deugging purpose. I can't find anything called dev tool. How do I look at console output from the test script when using the desktop app?

kerem commented 2026-03-16 19:12:46 +03:00

Author

Owner

Copy link

@allen-liaoo commented on GitHub (Oct 17, 2024):

Has the feature of automatically setting cookies from response headers been implemented on the desktop yet? I'm looking to replace postman with this but this is unusable without automatic cookie setter and auth custom redirect_uri

<!-- gh-comment-id:2419906995 --> @allen-liaoo commented on GitHub (Oct 17, 2024): Has the feature of automatically setting cookies from response headers been implemented on the desktop yet? I'm looking to replace postman with this but this is unusable without automatic cookie setter and auth custom redirect_uri

kerem commented 2026-03-16 19:12:51 +03:00

Author

Owner

Copy link

@community-release commented on GitHub (Dec 6, 2024):

Is there any updates on this ?

<!-- gh-comment-id:2522539238 --> @community-release commented on GitHub (Dec 6, 2024): Is there any updates on this ?

kerem commented 2026-03-16 19:12:56 +03:00

Author

Owner

Copy link

@ysomad commented on GitHub (Dec 16, 2024):

Is there any plans on implementing it soon?

<!-- gh-comment-id:2545360462 --> @ysomad commented on GitHub (Dec 16, 2024): Is there any plans on implementing it soon?

kerem commented 2026-03-16 19:13:01 +03:00

Author

Owner

Copy link

@khanhquocnguyen commented on GitHub (Jan 24, 2025):

Any update on this? This is a must have for every api tool

<!-- gh-comment-id:2612080838 --> @khanhquocnguyen commented on GitHub (Jan 24, 2025): Any update on this? This is a must have for every api tool

kerem commented 2026-03-16 19:13:06 +03:00

Author

Owner

Copy link

@perevernihata commented on GitHub (Jan 25, 2025):

This issue is exactly the reason we are not able to switch from postman

<!-- gh-comment-id:2613632813 --> @perevernihata commented on GitHub (Jan 25, 2025): This issue is exactly the reason we are not able to switch from postman

kerem commented 2026-03-16 19:13:11 +03:00

Author

Owner

Copy link

@miku4j commented on GitHub (Feb 3, 2025):

This is diabolical

<!-- gh-comment-id:2629799014 --> @miku4j commented on GitHub (Feb 3, 2025): This is diabolical

kerem commented 2026-03-16 19:13:16 +03:00

Author

Owner

Copy link

@hoaxnerd commented on GitHub (Feb 3, 2025):

Any update on this ?

<!-- gh-comment-id:2630834023 --> @hoaxnerd commented on GitHub (Feb 3, 2025): Any update on this ?

kerem commented 2026-03-16 19:13:21 +03:00

Author

Owner

Copy link

@thiagocavalcanti commented on GitHub (Feb 14, 2025):

I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using hoppscotch's "test" tab, and use env value in cookie header with accessToken=<<accessToken>>;refreshToken=<<refreshToken>> (I'm using jwt authentication). My simple test script to do that:

const tokens = pw.response.headers
.filter((ele) => ele.key === "Set-Cookie")
.map((ele) => ele.value.split(";")[0].split("="));
pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]);
pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1])
The shortcoming is, you have to add this cookie header for each subsequent authentication required requests.

Thanks, this idea solves the issue opened of setting the cookie into next requests, however in my pw.response.headers is still returning only 1 set-cookie header :(

<!-- gh-comment-id:2659672190 --> @thiagocavalcanti commented on GitHub (Feb 14, 2025): > I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using hoppscotch's "test" tab, and use env value in cookie header with `accessToken=<<accessToken>>;refreshToken=<<refreshToken>>` (I'm using jwt authentication). My simple test script to do that: > > const tokens = pw.response.headers > .filter((ele) => ele.key === "Set-Cookie") > .map((ele) => ele.value.split(";")[0].split("=")); > pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]); > pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1]) > The shortcoming is, you have to add this cookie header for each subsequent authentication required requests. Thanks, this idea solves the issue opened of setting the cookie into next requests, however in my pw.response.headers is still returning only 1 set-cookie header :(

kerem commented 2026-03-16 19:13:26 +03:00

Author

Owner

Copy link

@Paper-Folding commented on GitHub (Feb 14, 2025):

I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using hoppscotch's "test" tab, and use env value in cookie header with accessToken=<<accessToken>>;refreshToken=<<refreshToken>> (I'm using jwt authentication). My simple test script to do that:
const tokens = pw.response.headers
.filter((ele) => ele.key === "Set-Cookie")
.map((ele) => ele.value.split(";")[0].split("="));
pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]);
pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1])
The shortcoming is, you have to add this cookie header for each subsequent authentication required requests.

Thanks, this idea solves the issue opened of setting the cookie into next requests, however in my pw.response.headers is still returning only 1 set-cookie header :(

this script just needs modifying to adapt to your implementation

<!-- gh-comment-id:2659692122 --> @Paper-Folding commented on GitHub (Feb 14, 2025): > > I found an alternative way, just set accessToken and refreshToken into env variables in your authentication api using hoppscotch's "test" tab, and use env value in cookie header with `accessToken=<<accessToken>>;refreshToken=<<refreshToken>>` (I'm using jwt authentication). My simple test script to do that: > > const tokens = pw.response.headers > > .filter((ele) => ele.key === "Set-Cookie") > > .map((ele) => ele.value.split(";")[0].split("=")); > > pw.env.set("accessToken", tokens.find((ele) => ele[0] === "accessToken")[1]); > > pw.env.set("refreshToken", tokens.find((ele) => ele[0] === "refreshToken")[1]) > > The shortcoming is, you have to add this cookie header for each subsequent authentication required requests. > > Thanks, this idea solves the issue opened of setting the cookie into next requests, however in my pw.response.headers is still returning only 1 set-cookie header :( this script just needs modifying to adapt to your implementation

kerem commented 2026-03-16 19:13:31 +03:00

Author

Owner

Copy link

@khanhquocnguyen commented on GitHub (Mar 19, 2025):

A year passed and this issue still be there?

<!-- gh-comment-id:2737016474 --> @khanhquocnguyen commented on GitHub (Mar 19, 2025): A year passed and this issue still be there?

kerem commented 2026-03-16 19:13:36 +03:00

Author

Owner

Copy link

@lucasfoussier commented on GitHub (Mar 26, 2025):

+1 This feature would be highly appreciated.

In the case of an API that uses token-based authentication with the token stored in an HTTP-only cookie, it's not possible to use techniques involving Authorization headers (for security reasons).

In the web version of Hoppscotch, this works because the browser acts as the cookie manager and automatically sends the token with subsequent authenticated requests.

Unfortunately, in the desktop version, the only way to authenticate while respecting the API's design is to manually extract the token from the Set-Cookie response header and add it to Hoppscotch's cookie manager. This becomes tedious, especially when dealing with frequently expiring tokens.

<!-- gh-comment-id:2754415842 --> @lucasfoussier commented on GitHub (Mar 26, 2025): +1 This feature would be highly appreciated. In the case of an API that uses token-based authentication with the token stored in an HTTP-only cookie, it's not possible to use techniques involving Authorization headers (for security reasons). In the web version of Hoppscotch, this works because the browser acts as the cookie manager and automatically sends the token with subsequent authenticated requests. Unfortunately, in the desktop version, the only way to authenticate while respecting the API's design is to manually extract the token from the Set-Cookie response header and add it to Hoppscotch's cookie manager. This becomes tedious, especially when dealing with frequently expiring tokens.

kerem commented 2026-03-16 19:13:42 +03:00

Author

Owner

Copy link

@kawpii commented on GitHub (Mar 26, 2025):

Just found out this, this is really necessary.

<!-- gh-comment-id:2755050371 --> @kawpii commented on GitHub (Mar 26, 2025): Just found out this, this is really necessary.

kerem commented 2026-03-16 19:13:47 +03:00

Author

Owner

Copy link

@amishratnasthapit commented on GitHub (Mar 28, 2025):

This is the last feature I need to migrate my company to Hoppscotch. All our APIs now use Server Side Cookie and without this feature using Hoppscotch is very brutal.

<!-- gh-comment-id:2760383076 --> @amishratnasthapit commented on GitHub (Mar 28, 2025): This is the last feature I need to migrate my company to Hoppscotch. All our APIs now use Server Side Cookie and without this feature using Hoppscotch is very brutal.

kerem commented 2026-03-16 19:13:52 +03:00

Author

Owner

Copy link

@FerreiraAdrien commented on GitHub (Apr 14, 2025):

Same as above, this is the last feature I need in Hoppscotch before I can fully migrate. If you have any roadmap or estimated timeline for it, that would be really helpful and a big time-saver.

<!-- gh-comment-id:2801554624 --> @FerreiraAdrien commented on GitHub (Apr 14, 2025): Same as above, this is the last feature I need in Hoppscotch before I can fully migrate. If you have any roadmap or estimated timeline for it, that would be really helpful and a big time-saver.

kerem commented 2026-03-16 19:13:57 +03:00

Author

Owner

Copy link

@amnbcw commented on GitHub (May 22, 2025):

Wow. This is still not implemented? Jeez

<!-- gh-comment-id:2900448686 --> @amnbcw commented on GitHub (May 22, 2025): Wow. This is still not implemented? Jeez

kerem commented 2026-03-16 19:14:02 +03:00

Author

Owner

Copy link

@rjmcloudh commented on GitHub (May 28, 2025):

Any update?

<!-- gh-comment-id:2917447431 --> @rjmcloudh commented on GitHub (May 28, 2025): Any update?

kerem commented 2026-03-16 19:14:07 +03:00

Author

Owner

Copy link

@makkmarci13 commented on GitHub (Jun 5, 2025):

Any update?

<!-- gh-comment-id:2944399610 --> @makkmarci13 commented on GitHub (Jun 5, 2025): Any update?

kerem commented 2026-03-16 19:14:12 +03:00

Author

Owner

Copy link

@srkhost commented on GitHub (Jun 5, 2025):

Any update?

<!-- gh-comment-id:2944416244 --> @srkhost commented on GitHub (Jun 5, 2025): Any update?

kerem commented 2026-03-16 19:14:17 +03:00

Author

Owner

Copy link

@peem041045 commented on GitHub (Jun 24, 2025):

Any update?

<!-- gh-comment-id:2999485236 --> @peem041045 commented on GitHub (Jun 24, 2025): Any update?

kerem commented 2026-03-16 19:14:22 +03:00

Author

Owner

Copy link

@liyasthomas commented on GitHub (Jun 24, 2025):

I completely understand your frustration. Historically, Hoppscotch was a web-first platform, and due to the limitations of web-based cookies access from browsers, we couldn’t implement set-cookie from response.

However, we hope to add support for this in our desktop app, which is capable of doing so. This might be a bit complex and require a relatively high bandwidth and resources from our small team. Nevertheless, it’s in our roadmap. We’re always open to contributions, so if you’d like to help, we’d be happy to review a PR!

Originally posted by @liyasthomas in #5188

<!-- gh-comment-id:2999523340 --> @liyasthomas commented on GitHub (Jun 24, 2025): > I completely understand your frustration. Historically, Hoppscotch was a web-first platform, and due to the limitations of web-based cookies access from browsers, we couldn’t implement set-cookie from response. > > However, we hope to add support for this in our desktop app, which is capable of doing so. This might be a bit complex and require a relatively high bandwidth and resources from our small team. Nevertheless, it’s in our roadmap. We’re always open to contributions, so if you’d like to help, we’d be happy to review a PR! _Originally posted by @liyasthomas in [#5188](https://github.com/hoppscotch/hoppscotch/issues/5188#issuecomment-2996761118)_

kerem commented 2026-03-16 19:14:27 +03:00

Author

Owner

Copy link

@CIenthusiast commented on GitHub (Jun 25, 2025):

Maybe you should consider a bounty to encourage people to commit.
Nothing changed the last 2 years, nothing will change in the next 2 years.
And IMO this should be a top priority. In my case there is no use for hoppscotch unless this functionality is implemented.

<!-- gh-comment-id:3003905328 --> @CIenthusiast commented on GitHub (Jun 25, 2025): Maybe you should consider a bounty to encourage people to commit. Nothing changed the last 2 years, nothing will change in the next 2 years. And IMO this should be a top priority. In my case there is no use for hoppscotch unless this functionality is implemented.

kerem commented 2026-03-16 19:14:32 +03:00

Author

Owner

Copy link

@Gybk commented on GitHub (Sep 18, 2025):

<!-- gh-comment-id:3306109508 --> @Gybk commented on GitHub (Sep 18, 2025): +

kerem commented 2026-03-16 19:14:38 +03:00

Author

Owner

Copy link

@lucasfoussier commented on GitHub (Sep 25, 2025):

Hello everyone, do we have any updates regarding this issue?

<!-- gh-comment-id:3334499168 --> @lucasfoussier commented on GitHub (Sep 25, 2025): Hello everyone, do we have any updates regarding this issue?

kerem commented 2026-03-16 19:14:43 +03:00

Author

Owner

Copy link

@liyasthomas commented on GitHub (Sep 25, 2025):

This issue will be fixed in next release candidate scheduled for end of month.

<!-- gh-comment-id:3334520632 --> @liyasthomas commented on GitHub (Sep 25, 2025): This issue will be fixed in next release candidate scheduled for end of month.

kerem commented 2026-03-16 19:14:48 +03:00

Author

Owner

Copy link

@arthartn commented on GitHub (Sep 30, 2025):

Hello everyone, has this been resolved in the latest version 2025.9.0 ?

We tried logging in (on our localhost) using the desktop app (2025.9.0) on Mac, and the cookie was returned successfully.
However, when trying to get the authentication status afterwards (the same or another tab - both GET requests), the app (presumably) fails to send the cookie to the server, and we get 'Not authorized' (as before), although the cookie is there and not expired, thus, should return the logged-in user.

Are there any settings to be changed/updated to make this work (automatically) ?

<!-- gh-comment-id:3350766801 --> @arthartn commented on GitHub (Sep 30, 2025): Hello everyone, has this been resolved in the latest version 2025.9.0 ? We tried logging in (on our localhost) using the desktop app (2025.9.0) on Mac, and the cookie was returned successfully. However, when trying to get the authentication status afterwards (the same or another tab - both GET requests), the app (presumably) fails to send the cookie to the server, and we get 'Not authorized' (as before), although the cookie is there and not expired, thus, should return the logged-in user. Are there any settings to be changed/updated to make this work (automatically) ?

kerem commented 2026-03-16 19:14:53 +03:00

Author

Owner

Copy link

@liyasthomas commented on GitHub (Sep 30, 2025):

This issue ticket has two main parts:

1. Only single Set-Cookie in response - fixed in #5394.
2. The inability to transmit those cookies to subsequent requests.

The first issue has been resolved in the latest release. We are actively working towards resolving the second issue. This issue is not specific to the desktop app but affects web applications in general. It may involve changes to both backend and frontend components, which we are working towards implementing.

I will keep this ticket open until the functionality to send cookies along with requests for the app is available.

<!-- gh-comment-id:3352610134 --> @liyasthomas commented on GitHub (Sep 30, 2025): This issue ticket has two main parts: 1. Only single Set-Cookie in response - fixed in #5394. 2. The inability to transmit those cookies to subsequent requests. The first issue has been resolved in the latest release. We are actively working towards resolving the second issue. This issue is not specific to the desktop app but affects web applications in general. It may involve changes to both backend and frontend components, which we are working towards implementing. I will keep this ticket open until the functionality to send cookies along with requests for the app is available.

kerem commented 2026-03-16 19:14:58 +03:00

Author

Owner

Copy link

@mathew2103 commented on GitHub (Jan 15, 2026):

More than 2 years since this issue was opened, please look into fixing this

<!-- gh-comment-id:3752958999 --> @mathew2103 commented on GitHub (Jan 15, 2026): More than 2 years since this issue was opened, please look into fixing this

kerem referenced this issue 2026-03-17 00:46:33 +03:00

[PR #1205] [MERGED] upstream #3135

kerem referenced this issue 2026-03-17 00:46:49 +03:00

[PR #1207] [MERGED] I18n #3140

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/security-fix-2026-4-0

next

fix/mockserver-env-set-url-priority

feat/rest-gql-merge

refactor/workspaces

fix/onboarding-mass-assignment

desktop-settings-phase-0-schema-bridge-shell

patch

test-webhook

pr/johnan319/5745

tembo/optimize-performance-db-queries

add-claude-github-actions-1772782423108

fix/code-scanning-103

fix/mock-server-example-endpoint-match-v2

fix/rate-limit-on-health-route

hotfix/api-doc-collection-deletetion

cd-test

fix/mock-server-backend-followup

chore/code-scanning-52

chore/verion-addition-check

nested-migrations

scripting-system-updates-worker-setup

scripting-system-updates

pr/shipko/4367

ci-test

feat/user-delete-condition

feat/user-workspace-stats-api

chore/collection-export-addition

fix/import-file-size-limit-flow

feat/dashboard-common

feat/sort-environment-alphabetically

feat/infra-config-encryption

refactor/team

feat/collection-duplicationn

feat/secure-cookies-toggle

pr/pavog/4195

pr/pavog/4196

test/patch-demo

feat/native-interceptor-updates

pr/AndrewBastin/4111

feat/user-last-active-on

fix/codemirror-large-text-scroll-bug

fix/precision-lost-beautify

fix/env-diff-test-schema-error

fix/email-case-sensitive

release/2024.3.3

refactor/workspace-login-conversion

feat/node-apline-version-upgrade

feat/seed

release/2024.3.2

fix/sh-email-handlebar-issue

feat/app-experiment-animation

release/2024.3.1

release/2024.3.0

pr/jamesgeorge007/3937

experiment/deploychan

feat/github-enterprise-auth

refactor/collection-search-query

hotfix/infra-config-reset-bug

fix/secret-var-bug

hotfix/full-text-search

hotfix/request-variable-version-syncing

feat/request-variable

feat/server-config-additional-properties

pr/JoelJacobStephen/3845

release/2023.12.6

fix/safari-codemirror-perf-bug

release/2023.12.5

release/2023.12.4

fix/secret-env-bugs-tooltip

release/2023.12.3

fix/shared-request-bug

fix/disable-context-menu-option

release/2023.12.2

release/2023.12.1

fix/shared-request-bugs

release/2023.12.0

fix/gql-history-schema

fix/actions-not-working-without-sidebar

pr/jamesgeorge007/3665

chore/desktop-app-corrections

fix/auth-headers-in-coll

fix/embed-url

improve/placeholder

add-realtime-logos

feat/shared-request-embeds

feat/collection-headers

revamp/header

release/2023.8.4

refactor/interceptor-error-display

feat/subpath-based-access

release/2023.8.3

feat/shared-requests

feat/desktop

fix/nodemailer-templates-issue

feature/upgrade-graphql-ws

fix/graphql-crashing

fix/set-environments-when-no-env-selected

refactor/pre-prisma-bump-setup

release/2023.8.2

pr/danitherex/3216

perf/raw-db-query

release/2023.8.1

revert-3348-perf/reduce-backend-calls

fix/incorrect-tab-count-close-all-tab

fix/duplicate-tab-bug

release/2023.8.0

hotfix/fetch-shortcode

fix/tab-right-click-rename-bug

chore/docker-fixes

pr/JoelJacobStephen/3178

feat/fe-accessible-auth-provider-env

feat-cherry-pick/conditional-auth-select

feat/conditional-auth-select

release/2023.4.8

fix/generate-sitemap-issue

test/backend-test-case

refactor/team-invitation

pr/AndrewBastin/3171

release/2023.4.7

fix/duplicate-team-invite

fix/unified-bg-color-coll-tree

fix/shortcode-screen-stuck

release/2023.4.6

revert-3117-patch-3

fix/env-selector-bg

fix/db-url

release/2023.4.4

fix/sync-popup-bug

fix/team-env-set-test

chore/wss-to-ws-on-env

fix/prettify-xml-response

feat/db-volume-addition

feat/env-selector-tabs-ui

bug/broken-env

release/2023.4.2

fix/switch-workspace-env-bug

fix/magic-link

fix/cookie-handler

HPS-OSS-1

staging

revert/auth-issue

feat/export-env

refactor/commons

reference/path-variables

orphan-pr/2243

feat/realtime-search

fix/save-override

refactor/strategies

feat/embeds

bug/withDefaults

feat/show-keys

refactor/toast

2026.3.1

2026.3.0

2026.2.1

2026.2.0

2026.1.1

2026.1.0

2025.12.1

2025.12.0

2025.11.2

2025.11.1

2025.11.0

2025.10.1

2025.10.0

2025.9.2

2025.9.1

2025.9.0

2025.8.1

2025.8.0

2025.7.1

2025.7.0

2025.6.1

2025.6.0

2025.5.4

2025.5.3

2025.5.2

2025.5.1

2025.5.0

2025.4.2

2025.4.1

2025.4.0

2025.3.2

2025.3.1

2025.3.0

2025.2.3

2025.2.2

2025.2.1

2025.2.0

2025.1.1

2025.1.0

2024.12.2

2024.12.1

2024.12.0

2024.11.0

2024.10.2

2024.10.1

2024.10.0

2024.9.3

2024.9.2

2024.9.1

2024.9.0

2024.8.3

2024.8.2

2024.8.1

2024.8.0

2024.7.2

2024.7.1

2024.7.0

2024.6.1

2024.6.0

2024.3.4

2024.3.3

2024.3.2

2024.3.1

2024.3.0

2023.12.6

2023.12.5

2023.12.4

2023.12.3

2023.12.2

2023.12.1

2023.12.0

2023.8.4

2023.8.3

2023.8.2

2023.8.1

2023.8.0

2023.4.8

2023.4.7

2023.4.6

2023.4.5

2023.4.4

2023.4.3

2023.4.2

2023.4.1

2023.4.0

v3.0.1

v3.0.0

v2.2.1

v2.2.0

v2.1.0

v2.0.0

v1.12.0

v1.10.0

v1.9.9

v1.9.7

v1.9.5

v1.9.0

v1.8.0

v1.5.0

v1.0.0

v0.1.0

Labels

Clear labels   

CodeDay

  

a11y

  

browser limited

  

bug

  

bug fix

  

cli

  

core

  

critical

  

design

  

desktop

  

discussion

  

docker

  

documentation

  

duplicate

  

enterprise

  

feature

  

feature

  

fosshack

  

future

  

good first issue

  

hacktoberfest

  

help wanted

  

i18n

  

invalid

  

major

  

minor

  

need information

  

need testing

  

not applicable to hoppscotch

  

not reproducible

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

refactor

  

resolved

  

sandbox

  

self-host

  

spam

  

stale

  

testmu

  

wip

  

wont fix

No labels

CodeDay

a11y

browser limited

bug

bug fix

cli

core

critical

design

desktop

discussion

docker

documentation

duplicate

enterprise

feature

feature

fosshack

future

good first issue

hacktoberfest

help wanted

i18n

invalid

major

minor

need information

need testing

not applicable to hoppscotch

not reproducible

pull-request

question

refactor

resolved

sandbox

self-host

spam

stale

testmu

wip

wont fix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hoppscotch#1205

No description provided.