1

I am using angularjs2 http service to send http request. In the login API, I send a post request with user credential, the backend server generates a session_id in the response and save it on cookie. That session_id doesn't show in the http response object in Angularjs. But I can see this value from chrome debug network panel. There is a Cookies tab under network. From there I can see the session_id and its value. After login successfully, I use below code to send the next http request:

let options = new RequestOptions({headers: this.headers,  withCredentials: true });
    return this.http.get(url, options)

But I got below error response:

XMLHttpRequest cannot load https://backendjump.net/user/. Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

when I debug the request on chrome I found the request header is like below:

Request URL:https://testapi.net/user/
Request Method:OPTIONS
Status Code:204 No Content
Remote Address:52.43.21.19:443
Referrer Policy:no-referrer-when-downgrade

it doesn't include the cookies session_id mentioned above. Another interesting thing is that the Request Method becomes OPTIONS not GET.

I don't know how to solve this issue. Is it a backend or front-end issue?

georgeawg
  • 48,608
  • 13
  • 72
  • 95
Joey Yi Zhao
  • 37,514
  • 71
  • 268
  • 523
  • As you can see, it's an `OPTIONS` request : this request is sent by the browser to "test" the endpoint. Allow your backend to accpet options requests, and then it should work (assuming your headers are correct). –  Jul 11 '17 at 10:24
  • You cannot include credentials / authorization in an option request. -> https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request – lin Jul 11 '17 at 10:27
  • @trichetriche why browser send a test request? I remember before I implement credential there is no `OPTIONS` request. – Joey Yi Zhao Jul 11 '17 at 10:37
  • [Take a look at that](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS), I quote it from there : `The HTTP OPTIONS method is used to describe the communication options for the target resource. The client can specify a specific URL for the OPTIONS method, or an asterisk (*) to refer to the entire server.` –  Jul 11 '17 at 10:39
  • so the solution is just to accept OPTIONS request from server side right? – Joey Yi Zhao Jul 11 '17 at 10:56

0 Answers0