Reputation: 1520
Cross-Domain Cookie not sent to application after redirect
We are planning to support the integration of remote login forms to our application. For this I provide a CORS enabled API call that sets an authentication cookie for our application. The ajax call succeeds and the response contains the cookies, but once I redirect the browser to our application, the cookie is not contained anymore.
My setup consists of the login form running on http://myhost/login.html, the API login call is running on http://myapp:8080/login (ASP.net Web Api) and the application itself on http://myapp/app (ASP.net MVC)
The ajax call looks like this:
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://myapp:8080/login', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onload = function() {
var resp = xhr.responseText;
if(xhr.status == 200) {
document.querySelector('#status').innerHTML = 'Login successful <a href="http://myapp/app">Go to MyApp</a>';
}
else {
document.querySelector('#status').innerHTML = 'Login Failed : ' + xhr.statusText + '<br /><pre>' + xhr.responseText + '</pre>';
}
};
xhr.send(JSON.stringify({ UserName: 'User', Password: 'Pass' }));
And the server responds:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://myhost
Content-Length:0
Date:Fri, 23 Jun 2017 08:49:04 GMT
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:MyAppToken=SecretToken; domain=myapp; path=/
When I directly afterwards investigate on the cookies (Google Chrome), I can see that the cookie was set with the correct domain and content. But upon page reload or redirect to http://myapp/app the cookie is not set anymore and also my planned auto-login is not kicking in.
Is there something else I need to consider when I want the MyAppToken to be available on the app after the AJAX call? I do not need access to the MyAppToken cookie on myhost it only needs to be available for myapp to do the login.
Update (2017-07-19)
With only changing our test environment the system described above is working without problems. It seems likely that certain security constraints are influencing whether the browser transmits the cookie to the target application. Especially the 3rd-party cookie policies mentioned by Dennis C. sounds reasonable.
Upvotes: 9
Views: 5603
Answers (3)
Reputation: 607
login form running on http://myhost/login.html,
the API login call is running on http://myapp:8080/login (ASP.net Web Api)
the application itself on http://myapp/app (ASP.net MVC)
In your application using loginform is one domain and api is another domain and your application is another domain.so, the access control is not working
If ASP net MVC Application if Access-Control-Allow-Origin refer url is
httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
(*) is used for accept request from any domain. you only accept particular domains the you will check the
Access-Control-Allow-Origin: {your api domain name}
Access-Control-Allow-Credentials: true
set the mvc domain request headers.
this Process it's your Code return Server Respons have the vaild cookie in header. this cookie is ajax requested response.it's not stored in domain based cookie storage in web browser. so,we cannot use the after redirect.because, the domain url based only cookies are storing in Web browser
In another way to save the cookie in your web browser in a same domain it's possible. but the Cross domain cookie Saving it's prossible for the Security Reasons.
Refer How to set a cookie for another domain using JavaScript?
so, In this Suitation you can Write the code after getting the Success response.
1)write the method in mvc Controller and write method with one param.
2)in html page set the one form with
<form id="crossorginpostform" method="post" action="">
<input type="hidden" id="apptoken" name="MyAppToken"/>
</form>
set the cookie value in apptoken field and change the url and javascript based you sumbit the form of your mvc controller method post the cookie and redirect to your required action.
you receive the cookie and reassign the cookie in that domain as you want.
Refer this Link How to set a cookie for another domain
in this place we are set the cross domain cookie from another domain their using PHP that the same way you set. I Hope this is Helpful for you.
Upvotes: 0
Reputation: 24747
By default, most browser will ignore all 3rd-party cookies unless some P3P policy is given.
I suggest you can checkout some other answered question on https://stackoverflow.com/questions/tagged/p3p?sort=votes
Upvotes: 0
Reputation: 6923
The absence of an expiration date means you are creating what is called a session only cookie. Closing your connection to your application could be causing the cookie to be cleared.
This is created like this:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
Response.Cookies.Add(CrossAuth);
If you want the cookie to persist, try adding an expiration date:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
CrossAuth.Expires = DateTime.Now.AddHours(3);
Response.Cookies.Add(CrossAuth);
Which should result in a cookie that looks like this:
Upvotes: 1
Related Questions
- Cookie sent from backend not being set on frontend
- Cross domain POST request is not sending cookie Ajax Jquery
- Cross origin, cookies and session
- Cookies are not set from Cross domain AJAX request
- ASP.NET MVC Ajax form submitted cross domain not sending Cookies
- JQuery ajax call on same domain not sending cookies when data is sent
- jQuery does not send Cookie to server
- AJAX request doesn't send Cookies set from same domain
- Safari not sending Cross Sub-Domain Cookie
- multi-sub-domain cookies and ajax problems