Recently while working on an Angular web app operating with CORS on localhost against a SpringBoot server I had an issue where my GET requests were fine, but the POST requests (in this case for logout) did not include a cookie. At first I though I had some kind of problem with my CORS config - but this was fine:
var corsConfig = new CorsConfiguration();
corsConfig.setAllowedOriginPatterns(List.of(
"http://localhost:4200",
"http://localhost:8080"));
corsConfig.applyPermitDefaultValues();
corsConfig.setAllowCredentials(true);
It turns out the signature for the POST request use by Angular is slightly different! The second argument is actually for a body. So in my case:
return this.http.post<void>(this.logoutUrl, null, {withCredentials: true});
This might help someone who is starting to question their understanding of CORS (again)