1

I'm trying to build a login site on domain "example.com" that sends a Ajax request to the domain "other_domain.com" and if the credentials are ok this request sends back a session cookie. After that I want to redirect to the "other_domain.com" site and want to be logged in.

I have a solution that works on IE11, Edge, Chrome but not on Firefox because Firefox does not set the returned cookie when I redirect to the "other_domain.com" site.

This is the ajax request code:

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open('POST', 'https://other_domain.com/login', true);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onreadystatechange = function () {
    if (this.status == 200 && this.readyState == 4) {

        window.location.replace("https://other_domain.com/app");

    }
};
xhr.send(JSON.stringify(payload));

I can see on every browser the OPTIONS request succeeding and also the AJAX post return 200 OK on every browser if the credentials are correct.

The returned cookie has following values:

CreationTime: "Fri, 28 Sep 20018 12:48:49 GMT"
Domain: "other_domain.com"
Expires: "Session"
HostOnly: true
HttpOnly: true
LastAccessed: "Fri, 28 Sep 20018 12:48:49 GMT"
Path: "/"
Secure: true
sameSite: "Lax"

Additional info after flagged as duplicate:

I can see in the developer console that on the OPTIONS and the POST request from the code above the following headers are returned:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://example.com

I can see the Set-Cookie header with the correct value in the response in Firefox too but the cookie is not set after the redirect to other_domain.com. Also my Firefox is set to "Accept third party cookies and site data" - "always"

mibiio
  • 77
  • 1
  • 5
  • 1
    CORS has Access-Control-Allow-Credentials: true https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials ? – gorlok Sep 28 '18 at 14:04
  • And make sure you are not using localhost for testing https://stackoverflow.com/a/13967269/597200 – gorlok Sep 28 '18 at 14:05
  • 1
    Look at this for a better explanation https://stackoverflow.com/a/24689738/597200 – gorlok Sep 28 '18 at 14:07
  • The Access-Control-Allow-Credentials header is set and the Origin header is also set to the correct domain. I also don't test on localhost. It works in every browser except Firefox. Maybe Firefox need some additional CORS setting but I haven't found anything on my search – mibiio Sep 28 '18 at 15:28
  • Reopened per updated question – sideshowbarker Sep 28 '18 at 21:34

1 Answers1

2

I had the same issue. Look at the Set_Cookie, does it have the SameSite=lax attribute. If so, set that property to None when setting the cookie on the server. In .NET when creating a cookie, you have that option, lax, strict, or none.

https://learn.microsoft.com/en-us/dotnet/api/system.web.httpcookie.samesite?view=netframework-4.7.2

joetherod
  • 145
  • 2
  • 7
  • Thanks for your answer. In the meantime I refactored my solution that it don't need CORS cookies. My cookie had samesSite set to lax so maybe your solution works - but I cannot test. I dont' know if I should accept your answer as i cannot check it right now. – mibiio Nov 12 '18 at 10:44