HTTP Cookies and Ajax requests over HTTPS

Question

I know this has been asked before in various forms, but I can't seem to get around the problem. I have tried using both jQuery and the native JS API to make the Ajax requests.

My situation is the following (see attached diagram):

Browser makes HTTP request
Server responds and sets persistent Cookie
Browser makes HTTP Ajax request, Cookie is there alright
Server responds as expected, updates Cookie
Browser makes HTTPS Ajax request, Cookie is not there anymore (?!)
Server gives "default" response, since there is no Cookie (unintended behaviour)

Before anybody starts a lecture on cross-domain requests let me state a couple of things:

I know that this is a cross-domain request (different protocol), and that's why the Server sets the Access-Control-Allow-Origin header in the response (and I am using Chrome and Firefox, both of which support CORS)
What I also know, though, is that the HTTP cookie ought to be manageable over HTTPS (see here) since the host is the same
(EDIT) The cookie is properly set for the general domain (e.g. .domain.ext) and neither the HttpOnly nor the Secure flags are set

So, why, why, why doesn't the browser pass on the cookie when making the HTTPS Ajax call? Any ideas? I am about to lose my mind...

     +-----------+ HTTP Request     +-----------+
     |Browser    |+---------------->|Server     |
     +-----------+                  +-----------+

                   HTTP Response
                  <----------------+
                   Set-cookie

                   Ajax HTTP Req.
                  +---------------->
                   Cookie (OK)

                   HTTP Response
                  <----------------+
                   Set-cookie (OK)

                   Ajax HTTPS Req.
                  +---------------->
                   No Cookie (!!!)

Capture the HTTP request dump and check if any of the `secure` and `http-only` flags are set in the `Set-Cookie` statement. That would at least be a good place to start from. — dpq, Apr 19 '12 at 15:19
http://stackoverflow.com/questions/5441836/jquery-cookie-values-not-maintained-while-moving-from-http-to-https looks like this is a deliberate limitation. — dpq, Apr 20 '12 at 09:49
Thanks, I had already read it, but it does not help at all. First, it says that an https cookie is encrypted, which is only true when in transit (otherwise the browser would not be able to access its data). The explanation given is also against the cookie specification, AFAIK. — NeXuS, Apr 20 '12 at 11:00

score 80 · Accepted Answer · edited May 08 '19 at 12:06

80

Ok, found the solution to the cookie problem.

See XHR specs, jQuery docs and StackOverflow.

The solution to have the cookies sent when switching protocol and/or subdomain is to set the withCredentials property to true.

E.g. (using jQuery)

 $.ajax( {
   /* Setup the call */
   xhrFields: {
     withCredentials: true
   }
 });

edited May 08 '19 at 12:06

stop-cran

4,229
2
30
47

answered Apr 20 '12 at 15:31

NeXuS

1,797
1
13
13

3

Awesome. You found the answer yourself. Thanks for sharing. So many posts when people find the answer and don't share. Kudos NeXuS. – FernandoZ Nov 07 '14 at 02:57
Unfortunately I wasn't able to make it work nonetheless... :D – NeXuS Nov 08 '14 at 13:27
thanks, this worked for me after 2 days of trying to figure out why – Ajayi Oluwaseun Emmanuel Nov 28 '14 at 20:46

score 0 · Answer 2 · edited Jun 14 '20 at 10:47

Document.cookie and Ajax Request does not share the cookie. Otherwise, ajax can't access the cookies from document.cookie or the response headers. They can only be controlled by the remote domain.

If you first get response including cookie from server by ajax, Since that you can request ajax communication with cookie to server.

For this case, you write such as below code (jQuery)

 $.ajax({
      xhrFields : {
           withCredentials : true
      }
 });

See this article and demo

HTTP Cookies and Ajax requests over HTTPS

2 Answers2

Linked

Related