CORS - Server side cookie is not getting saved on chrome browser

Question

There is a node server which on accepting correct credentials of a user, passport js creates and sends a session cookie in request header by name of set-cookie.

But when I do an ajax request from my chrome browser accepts the request it doesn't adds the cookie on the client side . so when a new request generates from client side , the server doesn't authenticates it and throws 401.

I am confused whether it is a browser issue or an I am missing something from AJAX request

Please help.

Do you happen to know against which domain server is creating cookie ? One of the possible reason in conflict in cookie domain and website domain. — Mahesh Chavda, May 20 '16 at 16:30
simple cors-needing requests (those from 3rd parties) don't allow mucking with cookies. — dandavis, May 23 '16 at 03:12
Can you share the code that you're using to do the ajax request, and the domains of the authentication server and the website? Could be a CORS issue as @MaheshChavda suggested; some browsers refuse to handle the `Set-Cookie` header when doing cross-domain ajax requests. You may be able to add the appropriate options using `credentials` as suggested in this answer http://stackoverflow.com/questions/8863571/cors-request-why-are-the-cookies-not-sent/8870830#8870830 or (with angular): http://stackoverflow.com/questions/19383311/angularjs-http-does-not-seem-to-understand-set-cookie-in-the-response. — Nick Bartlett, May 23 '16 at 20:13
It also makes sense to check whether server is correctly setup: http://stackoverflow.com/questions/37090621/cookie-in-ajax-response-from-other-domain-not-honored-are-there-workarounds/37102692#37102692 — Michal Foksa, May 24 '16 at 18:51

score 3 · Answer 1 · edited May 17 '16 at 11:21

3

If you are using 'fetch', you need to add a key

{
        headers: req.headers,
        credentials: 'include'
}

edited May 17 '16 at 11:21

Thomas G

9,886
7
28
41

answered May 17 '16 at 11:16

prateekbh

273
1
6

I wonder who downvoted this since this is absolutely correct for `fetch()`. – Anne May 27 '16 at 09:27

score 2 · Accepted Answer · answered May 29 '16 at 15:49

Thanks for your answers . I was trying it withCredentials thing , but the session cookie was not getting set on my local.

The reason I figured out was the allowed origins. I need to set the allowed origins at the backend.

The XHR by is a secure request if passed with credentials property. So the client side browser only save the cookie if the allowed origin matches request origin.

So the simple fix was to change the host to something which matches to allowed origin .

At node end I need to do origin: 'domain.com' and at the front end I need to set my server (localhost) to point to test.domain.com. and bingo . It worked.!

score 2 · Answer 3 · answered Jun 15 '17 at 15:06

I was experiencing this issue using Angular 4 in Chrome (IE was working).

Requests from client on localhost:4200 to WebApi on localhost:24336. Had all the CORS setup, "Access-Control-Allow-Credentials" value="true" "Access-Control-Allow-Origin" value="http://localhost:4200", etc. and was passing { withCredentials: true } in every request, i.e. like http.post(url, {}, { withCredentials: true }) .

The fix, for me, was to set the default RequestOptions to {withCredentials: true } by following the steps https://angular.io/api/http/BaseRequestOptions and adding the following to providers: in app.module.ts

,{provide: RequestOptions, useClass: MyOptions}

score 1 · Answer 4 · edited May 27 '16 at 21:12

1

If you are using XHR request then you need set withCredentials to true. It should fix problem if no please provide code

edited May 27 '16 at 21:12

GMchris

5,439
4
22
40

answered May 27 '16 at 16:07

Vladimir Hovsepyan

11
1
1

Can you expand on your answer with some example code? – ManoDestra May 27 '16 at 19:30

CORS - Server side cookie is not getting saved on chrome browser

4 Answers4