Cookies only sent to one API

Question

Due to a change in requirements I had to implement a Dropwizard web service for communicating with our SAP Business One instance. This works great so far.

Furthermore, I need to make sure only authenticated clients are allowed to access the API. For accomplishing this I am using a JWT which is generated by an other already existing web service. For communicating with both web services I am using the same Aurelia fetch client.

Despite of having set the credentials option to include as well as returning the same values for the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers (http://127.0.0.1:9000 and true) the cookies are only sent to the web service that generates the JWT and not to the Dropwizard web service.

Below you can see the code for initialising the fetch client.

configuration.useStandardConfiguration()
    .withDefaults
    ({
        credentials: "include",
        headers:
        {
            "Content-Type": "application/json;charset=utf-8"
        }
    });

Next, the following screenshot is shown in the developer console of Firefox when communicating to the go web service. The Cookie header is sent as expected.

However, when accessing the resource on the Dropwizard web service the cookie header is not sent.

Answer 1

In the first case the request is done from http://127.0.0.1 to http://127.0.0.1.

In the second case, the request is done from http://127.0.0.1 to http://192.168.16.22:8090, isn't it? This is a CORS request

Maybe this is your issue: Cross domain POST request is not sending cookie Ajax Jquery

You cannot set or read cookies on CORS requests through JavaScript. Although CORS allows cross-origin requests, the cookies are still subject to the browser's same-origin policy, which means only pages from the same origin can read/write the cookie.