Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Credentials: 'include' not including Cookie header

I'm using credentials: 'include' and mode: 'cors' on the client. On the server I see access-control-allow-credentials: true and access-control-allow-origin: https://dev.com:9443 headers. I don't see my cookie header though and I can't seem to find why it isn't sending. Let me know if I can provide any further details.

Fetch request

fetch(url, {
  method: 'get',
  credentials: 'include',
  mode: 'cors',
  headers: {
    'Content-Type': 'application/json'
  }
});

Options Request Headers

:authority: prod.fakedomain.com
:method: OPTIONS
:path: /Search
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fr;q=0.8,la;q=0.7
access-control-request-headers: content-type
access-control-request-method: GET
cache-control: no-cache
dnt: 1
origin: https://dev.com:9443
pragma: no-cache
referer: https://dev.com:9443/
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Options Response Headers

access-control-allow-credentials: true
access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,POST
access-control-allow-origin: https://dev.com:9443
access-control-max-age: 1800
allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
content-length: 0
date: Mon, 04 Feb 2019 03:45:06 GMT
status: 200
vary: Origin
x-application-context: application:8080

Get Request Headers

:authority: prod.fakedomain.com
:method: GET
:path: /Search
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fr;q=0.8,la;q=0.7
cache-control: no-cache
content-type: application/json
dnt: 1
origin: https://dev.com:9443
pragma: no-cache
referer: https://dev.com:9443/
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Get Response Headers

access-control-allow-credentials: true
access-control-allow-origin: https://dev.com:9443
content-encoding: gzip
content-type: application/json;charset=UTF-8
date: Mon, 04 Feb 2019 03:45:07 GMT
status: 200
vary: Origin,Accept-Encoding
x-application-context: application:8080
like image 268
anthony-dandrea Avatar asked Feb 04 '19 03:02

anthony-dandrea


2 Answers

I finally find out that problem just browser not allow two not same domain share any cookie(except for the same second level domain), it's beyond credentials: include can do, after 2 hours trying... I find out credentials: include just meaning u can send cookie but it doesn't meaning you can send cookie with two different domain..

Whatever you do, change browser setting、set cookie's SameSite any way, just can't do that...

So that is my conclusion,hope u get it...

like image 173
BertieHuang Avatar answered Oct 07 '22 02:10

BertieHuang


I was able to resolve this issue by going into my Safari privacy settings and unchecking Prevent cross-site tracking

enter image description here

like image 20
Sergio Mendoza Avatar answered Oct 07 '22 01:10

Sergio Mendoza