I have a web app hosted on domain and it has a registration form.
When the user pletes the registration form the web app calls an Api hosted on app.domain.
The Api is a POST request, called using JavaScript's XmlHttpRequest and the response includes a Set-Cookie header.
However when I inspect the cookies present for app.domain the cookie received on the Api request is on present.
I thought the browser would handle cookies automatically and since the request to the app.domain returns a Set-Cookie header the browser would include the cookie in all subsequent requests to app.domain.
Api request:
Request URL:
Request Method:POST
Api Response
Set-Cookie:.AspNet.ExternalBearer=DlOvLGlPLlMWO4mXUcH9ieWNSTpRZ80hhWEKXrFUN-BOfwUsVu4x4qNXizpvdRWA4eIyijsmQARICLPOC-spzXjEVzz-WvO2ZsnSR30kM65dpkALqCUn2OgU2Zqc-fF5mESeYCEDeBCbHuSedCNqWfCIUX3mbeoI3vMu1086YwsinlnUkGe4gC9Ggk44N0PPuoh3J1xl85zUVhd9AsoaUspPzX2zlzkPmJMyb3shx9VlE8dx0ePQLuQhbHfnQdt8L5I5W9NK8uM3lJtHWKvR5lszd7AyuMDmX1N_MA7fGRAHCsW8FcCCvzeM9oH3c5zZU0uLKQKT5NZF8QyUdDGq6H6U5dPhm5FLTmsCw3qfLGXvIbO8uu-9p__VdEmvgr60D78uWrg6K-akNYNQDHVWvNyVdOYwM8N2H3l0hiTV8GveiZV-WpI4VSGFoOr821H8PRj1eC6UT6GiTFeksp7JmFLKuVLx8YY6uLcQYldQQUKDnvSiteZbwVg-DSYnGW9FdN3t9AdbUaW3mjFTCz_of5utAO9Fl8TFS02GucZLMCFEfxBkHh9qcmWUMrauWOLl59huTAFYDoCGG9pi06Hvm7ggF3H4oP-fXyFe85AsRC4; domain=app.domain; path=/; secure; HttpOnly
No cookie is included in the subsequent request to app.domain
So, what's missing?
Thanks!
I have a web app hosted on domain. and it has a registration form.
When the user pletes the registration form the web app calls an Api hosted on app.domain..
The Api is a POST request, called using JavaScript's XmlHttpRequest and the response includes a Set-Cookie header.
However when I inspect the cookies present for app.domain. the cookie received on the Api request is on present.
I thought the browser would handle cookies automatically and since the request to the app.domain. returns a Set-Cookie header the browser would include the cookie in all subsequent requests to app.domain..
Api request:
Request URL:https://app.domain./api/account/subscribe
Request Method:POST
Api Response
Set-Cookie:.AspNet.ExternalBearer=DlOvLGlPLlMWO4mXUcH9ieWNSTpRZ80hhWEKXrFUN-BOfwUsVu4x4qNXizpvdRWA4eIyijsmQARICLPOC-spzXjEVzz-WvO2ZsnSR30kM65dpkALqCUn2OgU2Zqc-fF5mESeYCEDeBCbHuSedCNqWfCIUX3mbeoI3vMu1086YwsinlnUkGe4gC9Ggk44N0PPuoh3J1xl85zUVhd9AsoaUspPzX2zlzkPmJMyb3shx9VlE8dx0ePQLuQhbHfnQdt8L5I5W9NK8uM3lJtHWKvR5lszd7AyuMDmX1N_MA7fGRAHCsW8FcCCvzeM9oH3c5zZU0uLKQKT5NZF8QyUdDGq6H6U5dPhm5FLTmsCw3qfLGXvIbO8uu-9p__VdEmvgr60D78uWrg6K-akNYNQDHVWvNyVdOYwM8N2H3l0hiTV8GveiZV-WpI4VSGFoOr821H8PRj1eC6UT6GiTFeksp7JmFLKuVLx8YY6uLcQYldQQUKDnvSiteZbwVg-DSYnGW9FdN3t9AdbUaW3mjFTCz_of5utAO9Fl8TFS02GucZLMCFEfxBkHh9qcmWUMrauWOLl59huTAFYDoCGG9pi06Hvm7ggF3H4oP-fXyFe85AsRC4; domain=app.domain.; path=/; secure; HttpOnly
No cookie is included in the subsequent request to app.domain.
So, what's missing?
Thanks!
Share Improve this question edited Sep 24, 2016 at 9:29 JCS asked Sep 24, 2016 at 9:07 JCSJCS 1,1012 gold badges10 silver badges25 bronze badges 4- developer.mozilla/en-US/docs/Web/API/XMLHttpRequest/… – C3roe Commented Sep 24, 2016 at 9:17
- I'm not trying to include the cookie the request to www.app.domain. but instead setting a cookie based on the response of a request to www.app.domain. – JCS Commented Sep 24, 2016 at 9:25
- "In addition, this flag is also used to indicate when cookies are to be ignored in the response." – C3roe Commented Sep 24, 2016 at 9:50
- CBroe, how can I thank you? :) Please answer the question so I can mark it as accepted! Cheers! – JCS Commented Sep 24, 2016 at 14:16
2 Answers
Reset to default 4You need to set the withCredentials flag for cookies to properly work when making cross-domain requests.
https://developer.mozilla/en-US/docs/Web/API/XMLHttpRequest/withCredentials:
In addition, this flag is also used to indicate when cookies are to be ignored in the response.
You have to explicitly set domain in the cookie.
Set-Cookie: name=value; domain=domain.
Go here for more details.