Reputation: 61
Send sessionToken cross domain
I have a unique scenario. I have a sessionToken (htmlOnly cookie) set by one server. I need to add this sessionToken in a CORS request to another server. CORS server uses this sessionToken for authentication. I understand this is not the best practice but given our timeframe this is the only way out.
I tried setting withCredentials to true while making the CORS request but that does not seem to be sending any cookies to the server. Is there anyway to send the sessionToken to another server in header?
I have tried setting withCredentials to true but while checking the network request no cookies from the origin domain is being sent in the CORS request.
Upvotes: 1
Views: 621
Answers (2)
Reputation: 714
You cannot do this. withCredentials will only send cookies for the domain the request is too, it does not send the cookies from the domain the request is made from, this would be a huge security hole.
You can make the cookie not be httpOnly, and read the value and send in an Authorization header instead to the other domain. Although I wouldn't recommend this since it isn't as secure.
Using an authentication scheme such as OAuth which returns a JWT that has an audience set for both domains that can be passed in the Authorization header and verified by both domains would seem better to me.
Upvotes: 1
Reputation: 1682
Website B can't read a cookie from website A.
I think you can use tokens instead, to return jwt token ( session info ) and the client side will submit this token to the other domain.
Upvotes: 0
Related Questions
- JavaScript and third party cookies
- Reading a cookie from a different domain
- Cross origin, cookies and session
- Setting cross-domain cookies in Safari
- Send Ajax request with custom cookies to another domain
- How to get the browser Cookies using JavaScript
- Cookies on cross domain requests
- Cross Sub Domain Cookie
- how to set cross domain session
- Including cookies in GET request to cross-domain server