AngularJS withCredentials Not Sending

Question

In AngularJS, I have my Restful API in a subdomain but I am having the problem where the cookie/session is not being shared across domains. For Angular I am doing this:

app.config(['$httpProvider',
function($httpProvider) {
    $httpProvider.defaults.useXDomain = true;
    $httpProvider.defaults.withCredentials = true;
    delete $httpProvider.defaults.headers.common['X-Requested-With'];
}]);

Also when I am making a request with $http I am doing

var object = {};

object.url = '/example'
object.withCredentials = true;

$http(object).success(object.success).error(object.error);

And On my server side I have:

if($_SERVER['REQUEST_METHOD']=='OPTIONS') {
    if(isset($_SERVER['HTTP_X_FOWARDED_HOST']) && !empty($_SERVER['HTTP_X_FOWARDED_HOST'])) {
        $origin=$_SERVER['HTTP_X_FOWARDED_HOST'];
    } else {
        $origin=$_SERVER['HTTP_ORIGIN'];
    }
    if(isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && ($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='POST' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='DELETE' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='PUT')) {
        header('Access-Control-Allow-Origin: '.$origin);
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Allow-Headers:  *,X-Requested-With,Content-Type');
        //header('Access-Control-Allow-Headers: Content-Type');
        header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT');
        // http://stackoverflow.com/a/7605119/578667
        header('Access-Control-Max-Age: 86400');
    }

}

Now I see that the server is saying that it will allow credentials but its not being sent in the options request. Screenshot below.

What am I doing wrong?

Answer 1

By default credentials are NOT sent in a CORS pre-flight OPTIONS request. See here. See also this answer. The credentials will be sent on your actual request.

Also, useXDomain and X-Request-With headers are not actually used in current versions of angular, so those lines are doing nothing in your $httpProvider config. All CORS interaction is handled by the browser itself and your server.

In general to properly implement CORS your server should not require credentials on the preflight request. (Please note that some browsers send them anyway, but shouldn't.) This is because an OPTIONS request is considered "safe" and should never contain any confidential information.

It may be your problem is in the cookies you're trying to share across domains. What cookies are you trying to send where?