Jivan
Reputation: 23068
Cookie in AJAX response from other domain not honored - are there workarounds
I have a server-side API on the domain api.example.com
User is visiting www.website.com where a script makes an XmlHttpRequest to api.example.com and gets a response with a cookie.
It appears the API's response cookie is not honored by the HTTP agent.
I'm aware of the non-cross-domain-leaking-cookie policy, but I thought the domain here would be api.example.com. Seems I guessed wrong.
Is there some other way that my API on api.example.com could remember user data from one site to another? If not, how could services like Criteo and other retargeting sites work, from this point of view?
Upvotes: 1
Views: 224
Answers (1)
Michal Foksa
Reputation: 12024
Make sure your API set:
Access-Control-Allow-Credentialsheader totruein possible preflight response and regular response,Access-Control-Allow-Originheader to value of the origin from the actual request,- and client sets
XMLHttpRequest.withCredentialstotrue.
Upvotes: 1
Related Questions
- How to enable CORS in ASP.net Core WebAPI
- Why is jQuery's .ajax() method not sending my session cookie?
- Setting a cookie on a subdomain from an ajax request
- why explicitly tell ajax to carry cookie when send cross-domain request still does not work?
- How do HttpOnly cookies work with AJAX requests?
- Can an AJAX response set a cookie?
- Cross Domain User Tracking
- Send request to check cookie from other domain