Laravel 5.8 / VueJs 2 / Axios GET request does not send cookies (CORS, subdomain)

Question

Setup

We have a server with the domain test.de and two applications A and B running on the same server but on subdomains:

a.test.de
b.test.de

Problem

A sends a GET-request to B's API, but it's always sending the request without cookies, even though it should.

Because the endpoint is protected, we always get 401 Unauthorized back. Requests to unprotected endpoints on B cause no issues, because they don't need the cookies.

Things we have tried:

• withCredentials: true on the request
• withCredentials set to true on axios defaults
• laravel-cors package configured as loose as possible

<?php

return [
    'supportsCredentials' => true,
    'allowedOrigins' => ['*'],
    'allowedOriginsPatterns' => [],
    'allowedHeaders' => ['*'],
    'allowedMethods' => ['*'],
    'exposedHeaders' => [],
    'maxAge' => 0,
];

• the same_site setting in config/session.php is null
• the SESSION_DOMAIN on both applications is set to .test.de
• middleware that sets the cors header (like laravel-cors should)
• tested on Google Chrome, Safari, Firefox
• requests to protected endpoint within a site (so A->A or B->B) work, because cookies are sent
• we tried many more things that I can't remember but will keep adding if they pop up or are mentioned in comments

Answer 1

It seems we had permission issues on our server which prevented the frontend code from updating and therefore the withCredentials option was not going through.

Whoever has this issue in the future: Please read the question and you will see the things we have tried. It's important to understand that for CORS certain Headers need to be sent back and forth in order to allow cookies to be sent.

Sorry for the buzz....

Answer 2

Try the middleware below... If it doesn't help I'll delete the answer ;)

<?php

namespace App\Http\Middleware;

use Closure;
use Symfony\Component\HttpFoundation\StreamedResponse;

class ModifyHeadersMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $response = $next( $request );
        if($response instanceof StreamedResponse) {
            $response->headers->set('Access-Control-Allow-Origin', '*' );
            $response->headers->set( 'Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Authorization, Accept, Application' );
            $response->headers->set( 'Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE, OPTIONS' );
        } else {
            $response->header( 'Access-Control-Allow-Origin', '*' );
            $response->header( 'Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Authorization, Accept, Application' );
            $response->header( 'Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE, OPTIONS' );
        }

        return $response;
    }
}