I am using ASP.NET. I either add or set a cookie (depending on whether the HttpRequest contains a cookie with specified key), and immediately afterward call Response.Redirect. The cookie is not set. Is this correct behavior? Is there something mutually exclusive about setting a cookie during an http response with a 302 status code?

Here's the source:

        if (context.HttpContext.Request.Browser.Cookies)
        {
            var cookies = context.HttpContext.Request.Cookies;
            var stateCookie = new HttpCookie(SR.session, clientState.SessionId.ToString());
            if (cookies.AllKeys.Contains(SR.session))
            {
                context.HttpContext.Response.Cookies.Set(stateCookie);
            }
            else
            {
                context.HttpContext.Response.Cookies.Add(stateCookie);
            }
        }

Here are the Response headers

• X-AspNetMvc-Version - 2.0
• Connection - Close
• Cache-Control - private
• Content-Type - text/html
• Date - Sun, 20 Mar 2011 03:48:04 GMT
• Location - http://localhost:3599/Home/Redirected
• Server - ASP.NET Development Server/9.0.0.0
• X-AspNet-Version - 2.0.50727

After googling a bit it seems that yes, there can be problems with setting the cookie in the redirect response as it may be ignored by a few browsers. (It may make some sense, as the response is really telling the client to ignore the resource and get some other resource instead).

This has been discussed here already: Sending browser cookies during a 302 redirect

So I would change the architecture in a way that allows the page being redirected to to set the cookie.