Menu
Unlike simple requests (discussed above), "preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send.
(https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)
Due to CORS, cookies are not being sent along the preflight request. This behaviour is confirmed by that issue. https://bugs.chromium.org/p/chromium/issues/detail?id=377541
But what does happen if Set-Cookie is returned in the response? Does the browser remembers that new cookie or simply discards it?
417
The preflight request will never include the cookie, but a request without a preflight might. This is true even if the server doesn't include the Access-Control-Allow-Credentials header and the request is rejected (as indicated with the X).
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
To send cookies to the server, you need to add the "Cookie: name=value" header to your request. To send multiple Cookies in one cookie header, you can separate them with semicolons. In this Send Cookies example, we are sending HTTP cookies to the ReqBin echo URL.
The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.
Browser discards Set-Cookie in the response to OPTIONS.
(Tried Chrome, Firefox, and Opera. Set-Cookie in the response to OPTIONS is always ignored.)
179
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
