CODEWITHSUNDEEP
javascriptwcfcookies
RHarris
RHarris

Reputation: 11227

ASPXAUTH cookie not being stored after CORS request

I've been asked to write a javascript/HTML front-end to connect to a set of WCF services. I can use Postman to hit the Logon service and I can see that on a valid logon, two cookies are set .ASPXAUTH and ASP.NET_SessionId.

When I hit the same service from my javascript code, I get a 200 response and in the network section of Chrome developer tools, I can see the Set-Cookie header in the response for each of the two cookies.

However, the cookies do not get stored in the browser so subsequent requests to the server fail because they lack the cookie credentials.

The client app is on a different domain (https://localhost:44357) than the server (http://localhost:3101) so CORS is in play. The client call is made using aurelia-http-client which is a wrapper around XMLHttpRequest. I'm using .withCredentials() which is supposed to add the credentials: true header. You can see that it is being included:

enter image description here

The Server is configured for CORS like so:

protected void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin","https://localhost:44357");
    if(HttpContext.Current.Request.HttpMethod == "OPTIONS")
    {
        HttpContext.Current.Response.AddHeader("Cache-Control","no-cache");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods","GET,POST,OPTIONS");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers","Content-Type,Accept,credentials");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Credentials","true");
        HttpContext.Current.Response.AddHeader("Access-Control-Max-Age","1728000");
    }
}

What am I missing? Why aren't the cookies from the WCF Server being stored by the browser?

Upvotes: 1

Views: 495

Answers (1)

RHarris
RHarris

Reputation: 11227

In playing around, I found that moving the Access-Control-Allow-Credentials header outside the if statement did the trick.

protected void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin",...)
    //Had to move this line outside of the if statement
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Credentials","true");
    if(...)
    {
       ...
    }
}

Upvotes: 1

Related Questions