AngularJS withCredentials Not Sending
By default credentials are NOT sent in a CORS pre-flight OPTIONS request. See here. See also this answer. The credentials will be sent on your actual request.
Also, useXDomain and X-Request-With headers are not actually used in current versions of angular, so those lines are doing nothing in your $httpProvider config. All CORS interaction is handled by the browser itself and your server.
In general to properly implement CORS your server should not require credentials on the preflight request. (Please note that some browsers send them anyway, but shouldn't.) This is because an OPTIONS request is considered "safe" and should never contain any confidential information.
It may be your problem is in the cookies you're trying to share across domains. What cookies are you trying to send where?
Devin Dixon
Updated on June 04, 2022Comments
-
Devin Dixon almost 2 years
In AngularJS, I have my Restful API in a subdomain but I am having the problem where the cookie/session is not being shared across domains. For Angular I am doing this:
app.config(['$httpProvider', function($httpProvider) { $httpProvider.defaults.useXDomain = true; $httpProvider.defaults.withCredentials = true; delete $httpProvider.defaults.headers.common['X-Requested-With']; }]);Also when I am making a request with $http I am doing
var object = {}; object.url = '/example' object.withCredentials = true; $http(object).success(object.success).error(object.error);And On my server side I have:
if($_SERVER['REQUEST_METHOD']=='OPTIONS') { if(isset($_SERVER['HTTP_X_FOWARDED_HOST']) && !empty($_SERVER['HTTP_X_FOWARDED_HOST'])) { $origin=$_SERVER['HTTP_X_FOWARDED_HOST']; } else { $origin=$_SERVER['HTTP_ORIGIN']; } if(isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && ($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='POST' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='DELETE' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='PUT')) { header('Access-Control-Allow-Origin: '.$origin); header('Access-Control-Allow-Credentials: true'); header('Access-Control-Allow-Headers: *,X-Requested-With,Content-Type'); //header('Access-Control-Allow-Headers: Content-Type'); header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT'); // http://stackoverflow.com/a/7605119/578667 header('Access-Control-Max-Age: 86400'); } }Now I see that the server is saying that it will allow credentials but its not being sent in the options request. Screenshot below.
What am I doing wrong? -
Devin Dixon about 10 yearsI have an SSO cookie assignment set up. So I solved it by having the CORS Option check before the session id check. If it is options, then it doesn't run the session id check for SSO. Else, use the cookie sent.