Custom Tabs opened by Gmail app ignore Set-Cookie header

Question

I have no clue whether I am right with this question on Stack Overflow but I believe this bevahior is intentional and I am missing out something.

I have an application that sends authentication links via email. When a user opens such a link, the server sets a cookie and redirects the user to the authenticated URL. That works fine for any browser and OS except Android's custom tabs opened by the Gmail app. It simply ignores the Set-Cookie header and never sends that cookie again to the server and therefore fails to authenticate.

Log from tcpdump -i eth0 -A port 8080

GET /blog/post/6/auth?token=SECRET HTTP/1.1
X-Forwarded-Host: example.org
Host: example-app:8080
Connection: close
X-Forwarded-For: 175.187.223.93
X-Forwarded-Proto: https
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
sec-ch-ua-mobile: ?1
sec-ch-ua-platform: "Android"
accept-language: de-DE
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Mobile Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: document
referer: android-app://com.google.android.gm/
accept-encoding: gzip, deflate, br, zstd

HTTP/1.1 302 Found
Content-Length: 0
Connection: close
Date: Fri, 22 Mar 2024 15:06:43 GMT
Server: Kestrel
Cache-Control: no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: /blog/post/6
Pragma: no-cache
Set-Cookie: .AspNetCore.AuthCookie=CfDJ8NUlF4VoiyyMsZqiYlq0_-ra9hnivA6_Jl0fdo3qZD43oy_dXvYlfXBrznygZUsFz9dj38D0H2MQLm_gAEa7zVPK017v3bu_iH_dYkvyyDGFC-_mnN7mDlFZNhMpswLiQ6f5jEmLs7OgR07jvhshjVjZYIGAsEiOYSp9yuBAm5iIBgR_4QaMB8-HSYCedVNvEYcnoIfu3ue1fQMC5D-VgGi95OcYp7vhmK88oA3lHV5t0e4uPF2y5lyPZkXLoptFA67l--qaDzIBbBz2VLSZbQ7_VCdY80MNkin4cEvNZ_r4V268LgAuyerJndgy-Z7M-WAEpdQ2XKcXoa-lQSsEP7KXATg1CLKSCEJEcWU4sQ2dRYNXA7VHBG0b3iBlab4G1DWA3l7twO0Y-jGFMrviYZm; expires=Sun, 21 Apr 2024 15:06:44 GMT; path=/blog; secure; samesite=strict; httponly

GET /blog/post/6 HTTP/1.1
X-Forwarded-Host: example.org
Host: example-app:8080
Connection: close
X-Forwarded-For: 175.187.223.93
X-Forwarded-Proto: https
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Mobile Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
sec-ch-ua-mobile: ?1
sec-ch-ua-platform: "Android"
referer: android-app://com.google.android.gm/
accept-encoding: gzip, deflate, br, zstd
accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7

Environment

• Android 14
• One UI 6.0
• Gmail 2024.02.11.610508537.Release
• Google Chrome 122.0.6261.90
• Firefox 122.1.0