Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CORS requests with session/cookie

Tags:

php

cors

cookies

session

My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed by the server.

This application is to be integrated with a third party which handles authentication, so users cannot login directly. Our server just receives an SSO token (which comes appropriately signed so that we verify its integrity).

We also enforce security at the transport layer for all requests.

What I'd like to do is, once the SSO token is verified, start a session of my own and then redirect the user to the client. I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls, but it doesn't seem to be the case.

Is this deliberately disabled due to security reasons?

like image 963
cafonso Avatar asked Jan 23 '16 20:01

cafonso

People also ask

How do I allow receiving&sending cookies by cors request?

To allow receiving & sending cookies by a CORS request successfully, do the following. Back-end (server): Set the HTTP header Access-Control-Allow-Credentials value to true . Also, make sure the HTTP headers Access-Control-Allow-Origin and Access-Control-Allow-Headers are set and not with a wildcard *.

What is a third party cookie in Cors response?

Third-party cookies Note that cookies set in CORS responses are subject to normal third-party cookie policies. In the example above, the page is loaded from foo.example, but the cookie on line 20 is sent by bar.other, and would thus not be saved if the user has configured their browser to reject all third-party cookies. The HTTP response headers

How to read cookies from a cross-origin request?

In order for the client to be able to read cookies from cross-origin requests, you need to have: All responses from the server need to have the following in their header: In my implementation with Angular 7 and Spring Boot, I achieved that with the following:

What is CORS (Cross-Origin Resource Sharing)?

CORS is a header-based security mechanism used by the server to tell the browser to send a cross-origin request from trusted domains. The server enabled with CORS headers used to avoid cross-origin requests blocked by browsers.

1 Answers

You must set withCredentials to true for cross-origin XHR requests to include cookies.

The CORS response must also say Access-Control-Allow-Credentials: true (which is why widthCredentials defaults to false).

like image 135
Quentin Avatar answered Oct 07 '22 19:10

Quentin
Sign in to Comment

Related questions

Why does right shifting -1 always gives -1 in PHP?
How to change default view path in Yii2?
sonata admin bundle symfony
php resize image without loss quality
yii2, google outh2 and scope
Laravel Eloquent find for composite key
Difference between Semantic error and logical error
Laravel 5 - Finding the pagination page for a model
Allow only author to edit his post in yii2 using ACF
Is it possible to include an image in a HTML email in Laravel
Yii2 save array of form fields to a single database field
Change charset and engine for Doctrine2's ManyToMany relationship's intermediary table
PHP & PDO: Connect to MySQL using IPv6 address
How can I apply a Model Transformer to collection items in Symfony2 forms?
How to declare unlimited parameters in Laravel?
Refresh a handsontable
Test basic auth
PHP - compare the structure of two JSON objects
How can i decode hash value in laravel 5?
How to create database with doctrine2?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!