Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Set-Cookie header behaviour in a Preflight OPTIONS request

Tags:

http

Unlike simple requests (discussed above), "preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send.

(https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)

Due to CORS, cookies are not being sent along the preflight request. This behaviour is confirmed by that issue. https://bugs.chromium.org/p/chromium/issues/detail?id=377541

But what does happen if Set-Cookie is returned in the response? Does the browser remembers that new cookie or simply discards it?

like image 417
Ilia Sidorenko Avatar asked Jan 05 '17 06:01

Ilia Sidorenko


People also ask

Are cookies sent on preflight request?

The preflight request will never include the cookie, but a request without a preflight might. This is true even if the server doesn't include the Access-Control-Allow-Credentials header and the request is rejected (as indicated with the X).

How do you set a cookie header?

The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.

How do I add a cookie to a request header?

To send cookies to the server, you need to add the "Cookie: name=value" header to your request. To send multiple Cookies in one cookie header, you can separate them with semicolons. In this Send Cookies example, we are sending HTTP cookies to the ReqBin echo URL.

How is the cookie set in the request?

The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.


1 Answers

Browser discards Set-Cookie in the response to OPTIONS.

(Tried Chrome, Firefox, and Opera. Set-Cookie in the response to OPTIONS is always ignored.)

like image 179
cshu Avatar answered Oct 12 '22 13:10

cshu