javascript - Cross-Domain Cookie not sent to application after redirect

We are planning to support the integration of remote login forms to our application. For this I provide a CORS enabled API call that sets an authentication cookie for our application. The ajax call succeeds and the response contains the cookies, but once I redirect the browser to our application, the cookie is not contained anymore.

My setup consists of the login form running on http://myhost/login.html, the API login call is running on http://myapp:8080/login (ASP Web Api) and the application itself on http://myapp/app (ASP MVC)

The ajax call looks like this:

var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://myapp:8080/login', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onload = function() {
    var resp = xhr.responseText;
    if(xhr.status == 200) {
        document.querySelector('#status').innerHTML = 'Login successful <a href="http://myapp/app">Go to MyApp</a>';
    }
    else {
        document.querySelector('#status').innerHTML = 'Login Failed : ' + xhr.statusText + '<br /><pre>' + xhr.responseText + '</pre>';
    }        
};
xhr.send(JSON.stringify({ UserName: 'User', Password: 'Pass' }));

And the server responds:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://myhost
Content-Length:0
Date:Fri, 23 Jun 2017 08:49:04 GMT
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:MyAppToken=SecretToken; domain=myapp; path=/

When I directly afterwards investigate on the cookies (Google Chrome), I can see that the cookie was set with the correct domain and content. But upon page reload or redirect to http://myapp/app the cookie is not set anymore and also my planned auto-login is not kicking in.

Is there something else I need to consider when I want the MyAppToken to be available on the app after the AJAX call? I do not need access to the MyAppToken cookie on myhost it only needs to be available for myapp to do the login.

Update (2017-07-19)

With only changing our test environment the system described above is working without problems. It seems likely that certain security constraints are influencing whether the browser transmits the cookie to the target application. Especially the 3rd-party cookie policies mentioned by Dennis C. sounds reasonable.

The ajax call looks like this:

var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://myapp:8080/login', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onload = function() {
    var resp = xhr.responseText;
    if(xhr.status == 200) {
        document.querySelector('#status').innerHTML = 'Login successful <a href="http://myapp/app">Go to MyApp</a>';
    }
    else {
        document.querySelector('#status').innerHTML = 'Login Failed : ' + xhr.statusText + '<br /><pre>' + xhr.responseText + '</pre>';
    }        
};
xhr.send(JSON.stringify({ UserName: 'User', Password: 'Pass' }));

And the server responds:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://myhost
Content-Length:0
Date:Fri, 23 Jun 2017 08:49:04 GMT
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:MyAppToken=SecretToken; domain=myapp; path=/

Update (2017-07-19)

Share Improve this question edited Jan 1, 2020 at 3:55 sideshowbarker♦ 88.6k30 gold badges215 silver badges212 bronze badges asked Jun 23, 2017 at 9:13 Danielku15 1,5301 gold badge15 silver badges31 bronze badges

What are your browser settings regarding 3rd-party cookies? Did you try this with all extensions disabled, that might otherwise block/remove certain cookies for privacy reasons? Do things change if you set the cookie with an actual expire timestamp? – C3roe Commented Jul 12, 2017 at 11:46
There are no special browser settings regarding the cookies (browser default) and also no plugins. Unless our IT enrolles some special policies which I might miss. – Danielku15 Commented Jul 12, 2017 at 13:38
The cookie is set for myapp and you are trying to access it on myhost. That's probably why the cookie isn't reflected in the browser. – TheChetan Commented Jul 14, 2017 at 4:25
No, I'm not accessing it on myhost. After the cookie is set for myapp via API, I am redirect to a web application running on myapp to access it from there. It's only the login form which is operating on myhost but no further access to this cookie is needed. – Danielku15 Commented Jul 14, 2017 at 9:27

Add a ment |

3 Answers 3

Sorted by: Reset to default 1

The absence of an expiration date means you are creating what is called a session only cookie. Closing your connection to your application could be causing the cookie to be cleared.

This is created like this:

HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
Response.Cookies.Add(CrossAuth);

If you want the cookie to persist, try adding an expiration date:

HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
CrossAuth.Expires = DateTime.Now.AddHours(3);
Response.Cookies.Add(CrossAuth);

Which should result in a cookie that looks like this:

By default, most browser will ignore all 3rd-party cookies unless some P3P policy is given.

I suggest you can checkout some other answered question on https://stackoverflow./questions/tagged/p3p?sort=votes

the API login call is running on http://myapp:8080/login (ASP Web Api)

the application itself on http://myapp/app (ASP MVC)

In your application using loginform is one domain and api is another domain and your application is another domain.so, the access control is not working

If ASP net MVC Application if Access-Control-Allow-Origin refer url is

https://enable-cors/server_iis7.html

httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
</httpProtocol>

(*) is used for accept request from any domain. you only accept particular domains the you will check the

Access-control-allow-origin with multiple domains

Access-Control-Allow-Origin: {your api domain name}
Access-Control-Allow-Credentials: true

set the mvc domain request headers.

this Process it's your Code return Server Respons have the vaild cookie in header. this cookie is ajax requested response.it's not stored in domain based cookie storage in web browser. so,we cannot use the after redirect.because, the domain url based only cookies are storing in Web browser

In another way to save the cookie in your web browser in a same domain it's possible. but the Cross domain cookie Saving it's prossible for the Security Reasons.

Refer How to set a cookie for another domain using JavaScript?

so, In this Suitation you can Write the code after getting the Success response.

1)write the method in mvc Controller and write method with one param.

2)in html page set the one form with

<form id="crossorginpostform" method="post" action="">
 <input type="hidden" id="apptoken" name="MyAppToken"/> 
</form>

set the cookie value in apptoken field and change the url and javascript based you sumbit the form of your mvc controller method post the cookie and redirect to your required action.

you receive the cookie and reassign the cookie in that domain as you want.

Refer this Link How to set a cookie for another domain

in this place we are set the cross domain cookie from another domain their using PHP that the same way you set. I Hope this is Helpful for you.

科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

javascript - Cross-Domain Cookie not sent to application after redirect - Stack Overflow

Update (2017-07-19)

Update (2017-07-19)

3 Answers 3

与本文相关的文章

评论列表(0)