0

I have build a REST Api in Node.js using Restify which works like a charm. One of the REST Endpoints, a GET, does some stuff and then returns result back to the caller with a Set-Cookie in the header.

When I run call the endpoint directly in my browser on http://127.0.0.1/theEnd I receive a cookie, which I can also see in document.cookie The cookie domain was set to 127.0.0.1.

However, when I call the endpoint from an jquery Ajax function, on another domain: http://beauty.local, and of course set the cookiedomain to beauty.local, I do see the Set-Cookie line in the header:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://beauty.local
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, PATCH, DELETE
Access-Control-Allow-Headers: X-Requested-With,content-type
Access-Control-Allow-Credentials: true
Set-Cookie: beauty-api=U2FsdGVkX18Wg3X2OOLlbC2zc62b7ibHEiQ+0MuR6jE6/lhdPUTD8ZxBEJJ1gcJ4qK/87SZ57xwHHl/cxkA1pfw3+wLQ1zMGpn1z10wd++ZyV4J+IevFPm71DbMu9qTD0Rmk7eQjSywVkRtBgKZPInX15X3WU28tO6KYtHSunEesxt4mAn4Kp5DpVWEsO2TG;expires=Sat, 31 May 2014 14:50:09 GMT;domain=beauty.local;
Content-Type: application/json
Content-Length: 76
Access-Control-Expose-Headers: api-version, content-length, content-md5, content-type, date, request-id, response-time

Date: Thu, 29 May 2014 14:50:09 GMT Connection: keep-alive

However, when I check my devtools in Chrome, I do not see the cookie under Resources/cookie/beauty.local and also I can't get it using document.cookie. I do see it as a response cookie under the network tab.

I am a bit puzzled, because it works when I call the endpoint directly on my localhost, but when I call it with ajax from another local domain, it doesn't.

What am I missing here.

Thanks in advance

Mattijs
  • 3,265
  • 3
  • 38
  • 35
  • In the network tab of Chrome, you see the cookie being sent in the response of the request. Do you see it being sent in the next request to that same domain (in the network tab)? – dylants May 29 '14 at 16:08
  • Not sure here but try setting cookie, domain=.beauty.local – Kiran Pagar May 29 '14 at 16:13
  • yes, the cookie is visible in the response part of the request. I see it in Chrome. It just doenst get written in the end. – Mattijs May 30 '14 at 00:39
  • these are the request headers : GET /api/questionnaire?_=1401375003206 HTTP/1.1 Host: 127.0.0.1:8080 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Accept: application/json, text/javascript, */*; q=0.01 Origin: http://beauty.local User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Referer: http://beauty.local/de-vragenlijst/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,nl;q=0.6 – Mattijs May 30 '14 at 00:39
  • Can it have anything to do with my local setup of website on my macbook? In my host file I have beauty.local linked to 127.0.0.1. Not sure when jQuery ajax function executes from this beauty.local domain it would for some reason not be allowed to accept a cookie written with the same domain entry. When I look in the jqXHR object of the success handler and print the headers, the Set-Cookie is not there either. – Mattijs May 30 '14 at 00:57
  • I have 1 solution: in the browser, in the the success handler write the cookie myself with javascript. When I send a new request I can read the value of the cookie and send it along to the node.js service. Actually I would be mimicking the intended behaviour of the browser. – Mattijs May 30 '14 at 01:23

1 Answers1

0

Try to define cookie path in settings.

Set-Cookie: beauty-api=[...];domain=beauty.local;path=/

Here some examples.

Edit:

There might be some problems with xhr.withCredentials or crossDomain properties in jQuery.ajax method.

var post = $.ajax({
    url: url,
    type: 'POST',
    dataType: 'json',
    data: data,
    xhrFields: {
        withCredentials: true
    }
});

More info:

Jquery Ajax CORS + HttpOnly Cookie and Sending credentials with cross-domain posts?

Community
  • 1
  • 1
Umidbek
  • 1,504
  • 12
  • 26
  • Path doesn't help. If I add this to a Restify response request: `res.setHeader('Set-Cookie', 'mycookie=test;expires=Fri, 13 Jun 2014 02:34:20 GMT;domain=beauty.local;path=/'); res.send( 200, { status:"OK" , code:"emailAvailable" } );` then that will send a cookie back on the response. I can see it in the network tab under Response cookies. The path and domain are valid. But it IS a third party cookie coming from a 127.0.0.1:8080 server domain. How do others do this? – Mattijs Jun 12 '14 at 02:38
  • The header: `HTTP/1.1 200 OK Access-Control-Allow-Origin: http://beauty.local Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, PATCH, DELETE Access-Control-Allow-Headers: X-Requested-With,content-type Access-Control-Allow-Credentials: true Set-Cookie: mycookie=test;expires=Fri, 18 Jun 2014 02:34:20 GMT;domain=beauty.local;path=/` – Mattijs Jun 14 '14 at 07:31
  • `Content-Type: application/json Content-Length: 39 Access-Control-Expose-Headers: api-version, content-length, content-md5, content-type, date, request-id, response-time Connection: Keep-Alive Content-MD5: ROGoNobMSSq+So/2K4FG4w== Date: Sat, 14 Jun 2014 07:30:38 GMT Server: beauty-api Request-Id: c7f00740-f395-11e3-9778-53aa3cfb372e Response-Time: 11` – Mattijs Jun 14 '14 at 07:32
  • I tried the withCredentials in $.ajax function. No difference. Cookie is returned on response header so browser should set it I reckon, not $.ajax – Mattijs Jun 14 '14 at 07:32
  • I also checked if it had anything to do with P3P (should only be an issue with old IEs). For some reason, Chrome doesnt write the cookie when the domain is set correctly – Mattijs Jun 14 '14 at 08:03