9

We are planning to support the integration of remote login forms to our application. For this I provide a CORS enabled API call that sets an authentication cookie for our application. The ajax call succeeds and the response contains the cookies, but once I redirect the browser to our application, the cookie is not contained anymore.

My setup consists of the login form running on http://myhost/login.html, the API login call is running on http://myapp:8080/login (ASP.net Web Api) and the application itself on http://myapp/app (ASP.net MVC)

The ajax call looks like this:

var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://myapp:8080/login', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onload = function() {
    var resp = xhr.responseText;
    if(xhr.status == 200) {
        document.querySelector('#status').innerHTML = 'Login successful <a href="http://myapp/app">Go to MyApp</a>';
    }
    else {
        document.querySelector('#status').innerHTML = 'Login Failed : ' + xhr.statusText + '<br /><pre>' + xhr.responseText + '</pre>';
    }        
};
xhr.send(JSON.stringify({ UserName: 'User', Password: 'Pass' }));

And the server responds: 

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://myhost
Content-Length:0
Date:Fri, 23 Jun 2017 08:49:04 GMT
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:MyAppToken=SecretToken; domain=myapp; path=/

When I directly afterwards investigate on the cookies (Google Chrome), I can see that the cookie was set with the correct domain and content. But upon page reload or redirect to http://myapp/app the cookie is not set anymore and also my planned auto-login is not kicking in.

Is there something else I need to consider when I want the MyAppToken to be available on the app after the AJAX call? I do not need access to the MyAppToken cookie on myhost it only needs to be available for myapp to do the login.

Update (2017-07-19)

With only changing our test environment the system described above is working without problems. It seems likely that certain security constraints are influencing whether the browser transmits the cookie to the target application. Especially the 3rd-party cookie policies mentioned by Dennis C. sounds reasonable.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Danielku15
  • 1,490
  • 1
  • 13
  • 29
  • What are your browser settings regarding 3rd-party cookies? Did you try this with all extensions disabled, that might otherwise block/remove certain cookies for privacy reasons? Do things change if you set the cookie with an actual expire timestamp? – CBroe Jul 12 '17 at 11:46
  • There are no special browser settings regarding the cookies (browser default) and also no plugins. Unless our IT enrolles some special policies which I might miss. – Danielku15 Jul 12 '17 at 13:38
  • The cookie is set for `myapp` and you are trying to access it on `myhost`. That's probably why the cookie isn't reflected in the browser. – TheChetan Jul 14 '17 at 04:25
  • No, I'm not accessing it on `myhost`. After the cookie is set for `myapp` via API, I am redirect to a web application running on `myapp` to access it from there. It's only the login form which is operating on `myhost` but no further access to this cookie is needed. – Danielku15 Jul 14 '17 at 09:27

3 Answers3

1

The absence of an expiration date means you are creating what is called a session only cookie. Closing your connection to your application could be causing the cookie to be cleared.

enter image description here

This is created like this:

HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
Response.Cookies.Add(CrossAuth);

If you want the cookie to persist, try adding an expiration date:

HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
CrossAuth.Expires = DateTime.Now.AddHours(3);
Response.Cookies.Add(CrossAuth);

Which should result in a cookie that looks like this:

enter image description here

Alexander Higgins
  • 6,765
  • 1
  • 23
  • 41
  • That's true in general. But in our case we are doing a direct redirect after login which should keep the session active. – Danielku15 Jul 20 '17 at 11:58
  • I am not clear on how you are keeping the session open. myapp:8080 and myapp:80 are two different applications with two connections and two different sessions. – Alexander Higgins Jul 20 '17 at 16:41
0

By default, most browser will ignore all 3rd-party cookies unless some P3P policy is given.

I suggest you can checkout some other answered question on https://stackoverflow.com/questions/tagged/p3p?sort=votes

Dennis C
  • 24,511
  • 12
  • 71
  • 99
  • It sounds reasonable that it could be that the browser blocks the cookie due to 3rd-party cookie restrictions. During our latest tests we were able to get a working version of the solution described in the post without major changes. It sounds reasonable that with certain hostnames and test environments the behavior changes. We will investigate on this further. – Danielku15 Jul 19 '17 at 07:58
0

login form running on http://myhost/login.html,

the API login call is running on http://myapp:8080/login (ASP.net Web Api)

the application itself on http://myapp/app (ASP.net MVC)

In your application using loginform is one domain and api is another domain and your application is another domain.so, the access control is not working

If ASP net MVC Application if Access-Control-Allow-Origin refer url is

https://enable-cors.org/server_iis7.html

httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
</httpProtocol>

(*) is used for accept request from any domain. you only accept particular domains the you will check the

Access-control-allow-origin with multiple domains

Access-Control-Allow-Origin: {your api domain name}
Access-Control-Allow-Credentials: true

set the mvc domain request headers.

this Process it's your Code return Server Respons have the vaild cookie in header. this cookie is ajax requested response.it's not stored in domain based cookie storage in web browser. so,we cannot use the after redirect.because, the domain url based only cookies are storing in Web browser

In another way to save the cookie in your web browser in a same domain it's possible. but the Cross domain cookie Saving it's prossible for the Security Reasons. Cookie Storage image in Web Browser

Refer How to set a cookie for another domain using JavaScript?

so, In this Suitation you can Write the code after getting the Success response.

1)write the method in mvc Controller and write method with one param.

2)in html page set the one form with

<form id="crossorginpostform" method="post" action="">
 <input type="hidden" id="apptoken" name="MyAppToken"/> 
</form>

set the cookie value in apptoken field and change the url and javascript based you sumbit the form of your mvc controller method post the cookie and redirect to your required action.

you receive the cookie and reassign the cookie in that domain as you want.

Refer this Link How to set a cookie for another domain

in this place we are set the cross domain cookie from another domain their using PHP that the same way you set. I Hope this is Helpful for you.

umasankar
  • 599
  • 1
  • 9
  • 28
  • Thanks but your answer does not fully match to what I've already described how the setup is. CORS headers are set and valid (as shown in the example). The description for enabling CORS headers is not valid for ASP.net Web API. Can you elaborate why the web browser does not store the cookie provided by the API (for its own domain)? Notice that the cookie is expected to be available for the same domain as where the API is running (in the MVC app), not where the login form is run and also not in JavaScript. – Danielku15 Jul 19 '17 at 11:03