12

For an Angular 1 app I am working on, cookie authentication is used. The problem is: when making OPTIONS calls, cookies are not sent and the server tries to redirect user to login again. Just wondering, whose "fault" is it? Server (Azure API Apps) or frontend? If frontend, how do I send cookies on OPTIONS call? I am using augular-resource and have configured it as below:

$httpProvider.defaults.withCredentials = true

Jiew Meng
  • 84,767
  • 185
  • 495
  • 805

1 Answers1

22

The specification says:

Otherwise, make a preflight request. Fetch the request URL from origin source origin using referrer source as override referrer source with the manual redirect flag and the block cookies flag set, using the method OPTIONS, and with the following additional constraints … Exclude user credentials.

and also

The term user credentials for the purposes of this specification means cookies, HTTP authentication, and client-side SSL certificates that would be sent based on the user agent's previous interactions with the origin. Specifically it does not refer to proxy authentication or the Origin header.

So the client should not send cookies, and the server should be able to respond to the preflight request without requiring authentication to take place first.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • @MoshtabaDarzi — Any code would be specific to your particular server platform. If you have trouble configuring your server to do what the last paragraph of this answer says then you should ask a new question including a [mcve] and details of your server configuration. – Quentin Dec 08 '20 at 13:23
  • 1
    Citation is actually from the wrong spec (whatwg); the above wording appears only in the W3 spec: https://www.w3.org/TR/2020/SPSD-cors-20200602/#cross-origin-request-with-preflight-0 – Cedric Reichenbach Nov 08 '21 at 14:36