1

I'm struggling with the problem in title for already couple of days with no success. I have an ASP.NET MVC 3 REST server which requires basic authentication. I want to write JS API accessing this server in AJAX way using XMLHHttpRequest.

For response to any http request including AJAX ones server adds "Set-Cookie: ASP.NET_SessionId=<session id here>; path=/; HttpOnly" header - that's ok. But it seems that Set-Cookie header is not processed by browser in any way - so even if I do next request with the same XMLHttpRequest object the cookie is not set properly and I can't maintain the session. What I might be doing wrong?

My script has been tested in Firefox 6 and Safari 5 and I have the same problem happening in both browsers.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Sergey Kudriavtsev
  • 10,328
  • 4
  • 43
  • 68

3 Answers3

1

Although I haven't found any relevant solution to the original problem, I've been able to overcome it by implementing my custom transport for ASP.NET session and authentication artifacts.

In general, in my solution all ASP.NET artifacts are transfered from server to clients as JSON string appended to response content, and from clients to server - as custom HTTP headers.

Not sure that I haven't reinvented the wheel by doing that, but at least it works...

Sergey Kudriavtsev
  • 10,328
  • 4
  • 43
  • 68
0

Make sure you don't have this icon in Chrome address bar. They started blocking cookies from other domains, so your session id is lost.

Chrome blocks 3rd party cookies

Ivan Nikitin
  • 3,578
  • 27
  • 39
0

Your subject mentions you are using CORS. If so, try adding the following header to your response:

Access-Control-Allow-Credentials: true
monsur
  • 45,581
  • 16
  • 101
  • 95
  • Already tried this; this header just allows XMLHttpRequest to send the credentials: if this header is not present in server response to the pre-flight request then the actual request would not occur. So I'm using it, request goes to server successfully and a response is generated with proper cookies. My problem is just those correct cookies are not processed by browser. – Sergey Kudriavtsev Oct 03 '11 at 07:13
  • How are you verifying that cookies are not processed by the browser? Note that JavaScript cannot access cookies set via CORS; they are only present on CORS requests/responses. – monsur Oct 03 '11 at 14:39
  • @monsour: Intercepted entire HTTP session with WireShark. Set-Cookie headers are present in server responses, but session id is not set by client on next requests. – Sergey Kudriavtsev Oct 03 '11 at 19:49
  • Could this be similar to [the issue I'm having](http://stackoverflow.com/questions/7918697/what-is-eating-my-cookie-cookie-does-not-get-transferred-in-asmx-call)? – TweeZz Oct 27 '11 at 17:15