1

My react app (from domain react-app.com) is loaded inside a website beautiful-site.com and the requests sending from react app doesn't sending the session cookie associated with it.

The workaround I had was added the below header in server and in react app XHR requests sent with withCredentials: true

Access-Control-Allow-Origin: https://beautiful-site.com
Access-Control-Allow-Credentials: true

The issue is I can specify a particular site in Access-Control-Allow-Origin, because the react app will be added to many sites not one.

Is there any way to get the session cookie send from react app?

CaptainZero
  • 1,431
  • 1
  • 19
  • 38
  • 1
    For the origin problem, you can look at cors (npm package) configuration. It allow you to determine dynamicaly which domain can be whitelisted... – BENARD Patrick Jan 11 '20 at 10:48
  • potentially related: [No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API](/q/43871637/11107541) – starball May 06 '23 at 00:39

1 Answers1

3

Answer is no, but you have workaround: when you set the withCredentials you can't have an Access-Control-Allow-Origin: *.

The fix must be done server side: your API service must returns domain of the request in the Access-Control-Allow-Origin, commonly taken from the Origin header.

See No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API (the How to fix “Access-Control-Allow-Origin header must not be the wildcard” problems subsection) for techincal details.

keul
  • 7,673
  • 20
  • 45