We are planning to support the integration of remote login forms to our application. For this I provide a CORS enabled API call that sets an authentication cookie for our application. The ajax call succeeds and the response contains the cookies, but once I redirect the browser to our application, the cookie is not contained anymore.
My setup consists of the login form running on http://myhost/login.html, the API login call is running on http://myapp:8080/login (ASP.net Web Api) and the application itself on http://myapp/app (ASP.net MVC)
The ajax call looks like this:
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://myapp:8080/login', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onload = function() {
var resp = xhr.responseText;
if(xhr.status == 200) {
document.querySelector('#status').innerHTML = 'Login successful <a href="http://myapp/app">Go to MyApp</a>';
}
else {
document.querySelector('#status').innerHTML = 'Login Failed : ' + xhr.statusText + '<br /><pre>' + xhr.responseText + '</pre>';
}
};
xhr.send(JSON.stringify({ UserName: 'User', Password: 'Pass' }));
And the server responds:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://myhost
Content-Length:0
Date:Fri, 23 Jun 2017 08:49:04 GMT
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:MyAppToken=SecretToken; domain=myapp; path=/
When I directly afterwards investigate on the cookies (Google Chrome), I can see that the cookie was set with the correct domain and content. But upon page reload or redirect to http://myapp/app the cookie is not set anymore and also my planned auto-login is not kicking in.
Is there something else I need to consider when I want the MyAppToken
to be available on the app after the AJAX call? I do not need access to the MyAppToken
cookie on myhost
it only needs to be available for myapp
to do the login.
With only changing our test environment the system described above is working without problems. It seems likely that certain security constraints are influencing whether the browser transmits the cookie to the target application. Especially the 3rd-party cookie policies mentioned by Dennis C. sounds reasonable.
Open Chrome preferences click on Settings, then Show Advanced Settings. Under Privacy, click on Content Settings. Make sure “Block third-party cookies and site data” is not checked.
Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin. Cookies use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix.
The absence of an expiration date means you are creating what is called a session only cookie. Closing your connection to your application could be causing the cookie to be cleared.
This is created like this:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
Response.Cookies.Add(CrossAuth);
If you want the cookie to persist, try adding an expiration date:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
CrossAuth.Expires = DateTime.Now.AddHours(3);
Response.Cookies.Add(CrossAuth);
Which should result in a cookie that looks like this:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With