0

I have 3 domains that need to work along...
My flow basically works like this:

  1. The user goes to A.com
  2. A.com sets a cookie and redirect to B.com
  3. B.com ajaxs calls need to send the cookie on requests to C.com

How "can I"/"should I" implement this behavior?

I set the xhrFields "withCredentials: true" in B.com ajax, but inspecting the request using fiddler, no cookies are sent...

Ps: im kinda lost... if extra info needed pls ask!

Leonardo
  • 10,737
  • 10
  • 62
  • 155
  • Which cookie goes to `c.com`? The cookie from `A` or `C`'s own cookie? – SilverlightFox Apr 16 '14 at 08:47
  • i need the coockie set by A.com – Leonardo Apr 16 '14 at 12:23
  • Cookies will only be sent to the originating domain. If you set a cookie on `a.com` the browser will not sent it to `c.com`. You could make a web method on `a.com` that sends back the cookie value as JSON (`Access-Control-Allow-Origin: b.com`) and a similar method to allow this cookie to be set on a web method on `c.com`. – SilverlightFox Apr 16 '14 at 13:14

1 Answers1

0

Check out my answer here...

If you're setting the withCredentials flag, the request is 'likely' being preflighted. This means the browser is sending an OPTIONS request BEFORE sending your actual request. The response of that OPTIONSrequest will determine whether or not the actual request will be allowed/denied.

--- edit ---

Regardless of a preflight options request, a request that bears the withCredentials flag will only be successful if the response headers bear the Access-Control-Allow-Credentials in addition to allowing the origin, method and any headers necessary or contained in the request trying to be made.

That is CORS. So it'll be the same between all domains (a, b, c, etc).

Community
  • 1
  • 1
J.Wells
  • 1,749
  • 12
  • 13
  • Credentialed requests are not, by default, preflighted. The presence of cookies in the request is not part of the determination as to whether the request will be preflighted. A request is only preflighted if it contains a non-simple method, or a non-simple header. – Ray Nicholus Apr 15 '14 at 02:30
  • I revised my answer slightly, but the `withCredentials` flag denotes that the request should be preflighted on the premise that the server receive an `OPTIONS` request to notify clients whether or not credentials are allowed as required by the spec and as mentioned [here](https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Overview) – J.Wells Apr 15 '14 at 02:49
  • No, that's not true. withCredentials has no bearing on whether the request is preflighted. I think you are misreading/misunderstanding the spec. A request is only preflighted if it contains non-simple headers or a non-simple method. A credentialed request is not preflighted if it is, for example, a GET request with simple headers. In that case, one request (the underlying request) is sent, and the server must include an Access-Control-Allow-Origin header and an Access-Control-Allow-Credentials header. The article you linked to demonstrates this as well. – Ray Nicholus Apr 15 '14 at 02:55
  • Regardless, the resolution is to ensure the response includes the correct headers. – J.Wells Apr 15 '14 at 03:07
  • Yes, I completely agree. – Ray Nicholus Apr 15 '14 at 03:15