My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed by the server.
This application is to be integrated with a third party which handles authentication, so users cannot login directly. Our server just receives an SSO token (which comes appropriately signed so that we verify its integrity).
We also enforce security at the transport layer for all requests.
What I'd like to do is, once the SSO token is verified, start a session of my own and then redirect the user to the client. I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls, but it doesn't seem to be the case.
Is this deliberately disabled due to security reasons?
To allow receiving & sending cookies by a CORS request successfully, do the following. Back-end (server): Set the HTTP header Access-Control-Allow-Credentials value to true . Also, make sure the HTTP headers Access-Control-Allow-Origin and Access-Control-Allow-Headers are set and not with a wildcard *.
Third-party cookies Note that cookies set in CORS responses are subject to normal third-party cookie policies. In the example above, the page is loaded from foo.example, but the cookie on line 20 is sent by bar.other, and would thus not be saved if the user has configured their browser to reject all third-party cookies. The HTTP response headers
In order for the client to be able to read cookies from cross-origin requests, you need to have: All responses from the server need to have the following in their header: In my implementation with Angular 7 and Spring Boot, I achieved that with the following:
CORS is a header-based security mechanism used by the server to tell the browser to send a cross-origin request from trusted domains. The server enabled with CORS headers used to avoid cross-origin requests blocked by browsers.
You must set withCredentials
to true
for cross-origin XHR requests to include cookies.
The CORS response must also say Access-Control-Allow-Credentials: true
(which is why widthCredentials
defaults to false
).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With