Cookies on cross domain requests

javascript cookies cross-domain
14,633

You need to set the withCredentials flag for cookies to properly work when making cross-domain requests.

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials:

In addition, this flag is also used to indicate when cookies are to be ignored in the response.

Share:
14,633
JCS
Author by

JCS

Updated on June 04, 2022

Comments

  • JCS
    JCS almost 2 years

    I have a web app hosted on domain.com and it has a registration form.

    When the user completes the registration form the web app calls an Api hosted on app.domain.com.

    The Api is a POST request, called using JavaScript's XmlHttpRequest and the response includes a Set-Cookie header.

    However when I inspect the cookies present for app.domain.com the cookie received on the Api request is on present.

    I thought the browser would handle cookies automatically and since the request to the app.domain.com returns a Set-Cookie header the browser would include the cookie in all subsequent requests to app.domain.com.

    Api request:

    Request URL:https://app.domain.com/api/account/subscribe
Request Method:POST

    Api Response

    Set-Cookie:.AspNet.ExternalBearer=DlOvLGlPLlMWO4mXUcH9ieWNSTpRZ80hhWEKXrFUN-BOfwUsVu4x4qNXizpvdRWA4eIyijsmQARICLPOC-spzXjEVzz-WvO2ZsnSR30kM65dpkALqCUn2OgU2Zqc-fF5mESeYCEDeBCbHuSedCNqWfCIUX3mbeoI3vMu1086YwsinlnUkGe4gC9Ggk44N0PPuoh3J1xl85zUVhd9AsoaUspPzX2zlzkPmJMyb3shx9VlE8dx0ePQLuQhbHfnQdt8L5I5W9NK8uM3lJtHWKvR5lszd7AyuMDmX1N_MA7fGRAHCsW8FcCCvzeM9oH3c5zZU0uLKQKT5NZF8QyUdDGq6H6U5dPhm5FLTmsCw3qfLGXvIbO8uu-9p__VdEmvgr60D78uWrg6K-akNYNQDHVWvNyVdOYwM8N2H3l0hiTV8GveiZV-WpI4VSGFoOr821H8PRj1eC6UT6GiTFeksp7JmFLKuVLx8YY6uLcQYldQQUKDnvSiteZbwVg-DSYnGW9FdN3t9AdbUaW3mjFTCz_of5utAO9Fl8TFS02GucZLMCFEfxBkHh9qcmWUMrauWOLl59huTAFYDoCGG9pi06Hvm7ggF3H4oP-fXyFe85AsRC4; domain=app.domain.com; path=/; secure; HttpOnly

    No cookie is included in the subsequent request to app.domain.com

    So, what's missing?

    Thanks!

  • JCS
    JCS over 7 years
    Cool Jakub! Indeed having a look at the headers the domain is not being set. Let me try it and I will get back to you! Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

iframe not reading cookies in Chrome
Reading a cookie from a different domain
Setting cross-domain cookies in Safari
Cross domain POST request is not sending cookie Ajax Jquery
Setting a cookie domain to an IP address (using CORS)
Setting Cookies with CORS requests
Safari not setting CORS cookies using JS Fetch API
THREE.js: Cross-origin image load denied by Cross-Origin Resource Sharing policy
Difficulty sending cookies with fetch requests in JavaScript
Android WebView + AJAX local files