7

I'm using jQuery's ajax() method to make some asynchronous server calls and want to catch the case where a call fails because the session has timed out.

From looking at the response headers in this case, I see that they include

Set-Cookie: SMSESSION=LOGGEDOFF

which seems like a pretty reliable test. But calling getAllResponseHeaders on the XMLHttpRequest object passed to jQuery's error callback apparently returns an empty string, and I'm having trouble figuring out any other way of getting that header information.

Is this possible?

Dan Tao
  • 125,917
  • 54
  • 300
  • 447
  • 1
    http://stackoverflow.com/questions/220231/accessing-http-headers-in-javascript – quantumSoup Aug 25 '11 at 21:31
  • @quantumSoup: OK then, looks like it's a duplicate, so I will close this one... just to clarify, though, is the *correct* answer that you can't access the response headers? One of the answers to the other question mentions `getAllResponseHeaders` and has 17 upvotes. – Dan Tao Aug 25 '11 at 21:36
  • Once the response is processed by the browser your cookie should be set right and then you could use the js cookie read method to check the value – Baz1nga Aug 25 '11 at 21:38
  • 1
    @zzzz: I had a similar thought... It seems that doesn't happen until *after* the callbacks have been called though; am I right in saying that? I suppose I could just do some sort of `setTimeout` deal in the `complete` callback in that case... – Dan Tao Aug 25 '11 at 21:43
  • Yup.. That's right.. Use settimeout also getAllReponseHeaders should be fine too.. I would google about it – Baz1nga Aug 25 '11 at 21:48
  • 3
    According to this spec (http://www.w3.org/TR/XMLHttpRequest/#the-getresponseheader-method), `getAllResponseHeaders()` will return all headers except the `Set-Cookie` header. You have to go through the cookie interface to get cookies. – jfriend00 Aug 25 '11 at 22:34
  • 1
    @jfriend00: Sadly, what I'm seeing appears to be that: (1) `getAllResponseHeaders()` is returning `""` (possibly jQuery is doing this?); and (2) the cookie in question isn't actually updated by the browser. I don't understand HTTP well enough to know why, though I can say the cookie is secure and hasn't expired. In any case, it's just frustrating that I can't get the value of `Set-Cookie` *from* the response header, as that's all I really care about (i.e., if the service even *tries* to set the cookie to `LOGGEDOFF`, *that's* what I want to know). Do you happen to know if this is for security? – Dan Tao Aug 26 '11 at 01:28
  • Yes, this is probably for security reasons because some cookies are marked by the server as "not accessible by javascript" and can only be sent back to the server, not accessed by javascript. If one was allowed to get the set-cookie header, then you could bypass this. You should just read the cookie from the normal cookie API and make sure that the desired cookie isn't set by the host for host access only. – jfriend00 Aug 26 '11 at 01:54
  • (http://www.html5rocks.com/en/tutorials/cors/#toc-withcredentials). Set **"Access-Control-Allow-Credentials: true"** header on server, and pass **xhrFields: { withCredentials: true }** when making the ajax request. – Cem May 30 '13 at 07:53

2 Answers2

2

If you read the W3 XHR spec you'll see that they don't allow you to access the set-cookie response header via a getAllResponseHeaders('Set-Cookie') call.

See 4.7.3 The getResponseHeader() method:

Bullet point 3: "If header is a case-insensitive match for Set-Cookie or Set-Cookie2, return null."

http://www.w3.org/TR/XMLHttpRequest/#the-getallresponseheaders%28%29-method

jfriend00 also left this response in the comments above but I thought this question could use a legitimate answer.

a_dreb
  • 189
  • 11
-2

If the document is from the same domain and path, use the document.cookie interface If the cookie has the http-only attribute set, it's inaccessible

Jon Cooke
  • 92
  • 3