3

I am trying to send Cookies to a PHP Script within a javascript fetch CORS request. The Request starts on https://sub1.example.com and contains the following options:

let response = await fetch('https://sub2.example.com/target.php', {
    method: "POST",
    headers: headers,
    body: formData,
    mode: 'cors',
    credentials: 'include',
    cache: 'no-store'
});

The corresponding PHP Script sets the following Headers:

header('Access-Control-Allow-Origin: https://www.example.com');
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With, Set-Cookie, Cookie, Bearer');

But the Cookie Header is not send with the request. I also tried:

let headers = new Headers();
headers.set('Cookie', document.cookie);

That also had no effect. What exactly am I doing wrong here?

I checked the Network Tab in the Development Tools. Also $_COOKIE in the PHP Script is empty. There is absolutely no error. I can also see that the Cookie Header is sent in any not CORS fetch request.

EDIT: Here are the Settings of one of the Cookies:

Name: PHPSESSID
Path: /
Secure: true
SameSite: none

I can't share the Domain because it's not public. But the Cookie Domain has the same Value as the Origin in the Request Header (Minus the https://).

EDIT 2: Changed the fetch URL to make clearer what's happening.

jub0bs
  • 60,866
  • 25
  • 183
  • 186
KHansen
  • 784
  • 5
  • 21
  • `Cookie Header is not send`...how do you know? It's not clear what you've tested, or what consequences you're seeing. is there an error? – ADyson Jan 05 '22 at 09:28
  • I checked the Network Tab in the development Tools. Also `$_COOKIE` in the PHP Script is empty. There is absolutely no error. I can also see, that the Cookie Header is send in none CORS fetch Requests. – KHansen Jan 05 '22 at 09:33
  • Please edit your question and add the values of the `Name`, `Domain`, `Path`, `Secure`, and `SameSite` attributes of the cookie in question. – jub0bs Jan 05 '22 at 10:28
  • And you're setting that cookie on a secure origin (`https://`)? Does the cookie actually get set / exist in your browser? – jub0bs Jan 05 '22 at 10:47
  • @jub0bs Yes the Cookie is set on a secure origin. And I can see the Cookie in my browser. Also the same Cookie is send as soon as the fetch is performed on the same domain. – KHansen Jan 05 '22 at 10:50
  • @KHansen Ok, thanks for those details; that helps. You wrote "_the Cookie Domain has the same Value as the Origin in the Request Header_". But what about the request's destination origin? How is that destination origin related to the value of the cookie's `Domain` attribute? – jub0bs Jan 05 '22 at 10:57
  • @jub0bs It's another subdomain. The Origin is sub1.example.com and the Destination is sub2.example.com. I hope that's what you mean by destination origin. – KHansen Jan 05 '22 at 11:02
  • @KHansen Ok, we're getting closer now! And, following your example, what is the value of the cookie's `Domain` attribute? Do you explicitly set the value of the `Domain` attribute in your code or not? – jub0bs Jan 05 '22 at 11:11
  • @jub0bs The value of the cookie's domain would be `sub1.example.com`. The Cookie is set by the server (It's the PHP Session ID). I don't alter it in any way. – KHansen Jan 05 '22 at 11:16
  • 1
    @KHansen Well, there is the answer. Browsers will never ever send a cookie whose effective value for the `Domain` attribute is `sub1.example.com` to `sub2.example.com`. If you want your cookie to be sent to subdomains, you need to explicitly set its `Domain` attribute to a common parent domain, e.g. `example.com`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute – jub0bs Jan 05 '22 at 11:19
  • @KHansen - Not sure if you can help, but I'm having a similar problem. I think it also has to do with the cookie domain. I'm doing a cross-origin fetch to https://example.com from localhost. I set the cookie to "SameSite: none" and didn't touch anything else, so I believe the cookie domain should origin should be "localhost" and destination is example.com. Eventually, the request will be made from a secured url, but localhost is not secure, so I don't think I can add the 'secure' attribute, correct? And then for the domain, should I just set it to the destination domain 'example.com'? – JoJo Apr 30 '22 at 01:47
  • @JoJo I've never tried that with localhost. Basically for a Cookie to be sent the whole Domain (and Subdomain) has to be the same. – KHansen May 02 '22 at 04:57

3 Answers3

4

Problem

Be aware that, depending on

  • the value of the cookie's Path attribute,
  • the effective value of the cookie's Domain attribute,
  • the value of the cookie's Secure attribute,
  • the effective value of the cookie's SameSite attribute,
  • the request's issuing and destination origins,

a cookie may or may not be attached to the request. Of particular relevance to your case is the Domain attribute; check out MDN's page on the topic:

The Domain attribute specifies which hosts can receive a cookie. If unspecified, the attribute defaults to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.

You're setting the cookie as follows on origin https://sub1.example.com:

Set-Cookie: PHPSESSID=whatever; Path=/; SameSite=None; Secure

Therefore, that cookie will get attached to (credentialed) requests whose destination origin is https://sub1.example.com, and no other.

Solution

If you want your cookie to be sent to all secure origins whose domain is an example.com subdomain, you need to explicitly set its Domain to example.com.

About sending cookies with fetch

The Fetch standard specifies a list of forbidden header names; Cookie is one of them. You cannot set a header named Cookie on a request sent with fetch; the standard simply forbids it. If you want to attach existing cookies to a cross-origin request, use the 'include' value for the credentials parameter passed in fetch options.

jub0bs
  • 60,866
  • 25
  • 183
  • 186
  • @KHansen — You're trying to set the Cookies header with **code**, not send the cookies **previously set** by an earlier request to **the origin in your form action** (`document.cookie` is the origin of the HTML document not the action). – Quentin Jan 05 '22 at 10:29
  • @Quentin No, that is only what I also tried. In my fetch Request is set `credentials: 'include`. That should send the Cookie Header, but it doesn't. – KHansen Jan 05 '22 at 10:38
2

These are the conditions that need to be met in order for the browser to save and then use cookies initiated using fetch:

  1. Client initializes asynchronously a fetch request with credentials: 'include'. See [here][1] for more details.
  2. To do CORS, server response header must contain Access-Control-Allow-Origin explicitly set to a domain, could be different from the server domain. For example, in a Single-Page-App architecture, your frontend site is temporarily hosted at localhost:3000 and your backend server hosted at localhost:8000, then the header should be Access-Control-Allow-Origin: http://localhost:3000. See [here][2] and [here][3].
  3. To allow client to process cookies, which is obviously a sensitive resource, server response header must further contain Access-Control-Allow-Credentials: true. See [here][4]. Note that this enforces a non-wildcard setting for Access-Control-Allow-Origin. See [here][6] - that's why in point 2 above, it has to be explicitly set to something like http://localhost:3000 rather than *
  4. When server sets the cookie, it has to include SameSite=None; Secure; HttpOnly. So overall something like Set-Cookie: session_id=12345; SameSite=None; Secure; HttpOnly. SameSite seems to be a relatively [new requirement][5] in latest browsers, and must be used with Secure together when SameSite is set to None.
  5. With regard to HttpOnly, I haven't found relevant materials, but in my experiment, omitting it caused the browser to ignore the Set-Cookie header.
  6. Further requests to the backend server also must have credentials: 'include' set.

Source: https://stackoverflow.com/a/67001424/368691

Gajus
  • 69,002
  • 70
  • 275
  • 438
1

Cookies normally are not supposed to be attached to preflight requests in CORS mode. You might want to check this out.

Note: Browsers should not send credentials in preflight requests irrespective of this setting. For more information see: CORS > Requests with credentials.

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch

peterrogov
  • 33
  • 4
  • I don't really care about the preflight request. I need the Cookie Data in the POST request. – KHansen Jan 05 '22 at 09:58
  • how is the cookie set? is it https only? what is the cookie domain, is it the same as the script you are fetching from? – peterrogov Jan 05 '22 at 10:10
  • The Cookie has the following settings: SameSite: None / Secure: true. The Domain is the same. – KHansen Jan 05 '22 at 10:15