Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTP Cookies and Ajax requests over HTTPS

Tags:

ajax

http

https

cookies

I know this has been asked before in various forms, but I can't seem to get around the problem. I have tried using both jQuery and the native JS API to make the Ajax requests.

My situation is the following (see attached diagram):

  1. Browser makes HTTP request
  2. Server responds and sets persistent Cookie
  3. Browser makes HTTP Ajax request, Cookie is there alright
  4. Server responds as expected, updates Cookie
  5. Browser makes HTTPS Ajax request, Cookie is not there anymore (?!)
  6. Server gives "default" response, since there is no Cookie (unintended behaviour)

Before anybody starts a lecture on cross-domain requests let me state a couple of things:

  • I know that this is a cross-domain request (different protocol), and that's why the Server sets the Access-Control-Allow-Origin header in the response (and I am using Chrome and Firefox, both of which support CORS)
  • What I also know, though, is that the HTTP cookie ought to be manageable over HTTPS (see here) since the host is the same
  • (EDIT) The cookie is properly set for the general domain (e.g. .domain.ext) and neither the HttpOnly nor the Secure flags are set

So, why, why, why doesn't the browser pass on the cookie when making the HTTPS Ajax call? Any ideas? I am about to lose my mind...

     +-----------+ HTTP Request     +-----------+      |Browser    |+---------------->|Server     |      +-----------+                  +-----------+                     HTTP Response                   <----------------+                    Set-cookie                     Ajax HTTP Req.                   +---------------->                    Cookie (OK)                     HTTP Response                   <----------------+                    Set-cookie (OK)                     Ajax HTTPS Req.                   +---------------->                    No Cookie (!!!)
like image 681
NeXuS Avatar asked Apr 19 '12 14:04

NeXuS

People also ask

Does AJAX work with https?

If I navigate to the url with Chrome I'm able to get the response. I see no reason why it shouldn't work work over an ajax request. It's looks like a cross-origin issue, not HTTPS. Whatever code you've used, you should provide that with some context on the URL in relation to the page/site it's running in.

Can cookies be sent over AJAX requests?

AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script.

Are AJAX requests HTTP requests?

An AJAX request is a request made by an AJAX application. Typically, it is an HTTP request made by (browser-resident) Javascript that uses XML to encode the request data and/or response data.

Are AJAX requests secure?

There is nothing inherently insecure about AJAX, for the most part it is susceptible to most of the same threats and attacks as regular webpages. However, there are also a few attacks that are AJAX-specific, but again it depends on how you code it.

1 Answers

Ok, found the solution to the cookie problem.

See XHR specs, jQuery docs and StackOverflow.

The solution to have the cookies sent when switching protocol and/or subdomain is to set the withCredentials property to true.

E.g. (using jQuery)

 $.ajax( {    /* Setup the call */    xhrFields: {      withCredentials: true    }  });
like image 192
NeXuS Avatar answered Sep 22 '22 20:09

NeXuS
Sign in to Comment

Related questions

Cannot read property 'protocol' of undefined
Set Headers with jQuery.ajax and JSONP?
Session timeout and ViewExpiredException handling on JSF/PrimeFaces ajax request
How to send parameters with jquery $.get()
Stop $.ajax on beforeSend
How to get a cookie from an AJAX response?
Add items to a jQuery Accordion with jquery
Getting AJAX response body for use in error callback
Spring Boot @Async method in controller is executing synchronously
Network panel not working in weinre
Retrieving HTTP status code from loaded iframe with Javascript
How do I abort image <img> load requests without using window.stop()
How to check if jQuery.ajax() request header Status is "304 Not Modified"?
Why threre is no way to download file using ajax request?
WebKit "Refused to set unsafe header 'content-length'"
How to point a WebSocket to the current server
Detecting Ajax in PHP and making sure request was from my own website
Access denied to jQuery script on IE
Backbone.js - id vs idAttribute vs cid
Difference between AJAX request and a regular browser request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!