Menu
I'm developping a REST Api which needs to be statefull (no workaround for that, i'm using a native lib with no serializable objects etc.)
This Rest API is exposed on a web server on a domain domainA. Response contains a Access-Control-Allow-Origin header set to *, so I needn't JSON-P. (I don't know if this detail cares).
I did a GWT use sample of this API on a domainB requesting DomainA. Browsers do not add the cookie previously set. It's works 'statelessly'.
Must the sample be on DomainA too? Is there a workaroud or an specific header to set?
Edit: I set a main domain in the Cookie. And it doesn't work. The browser still doesn't set the cookie session in the next request header.
Request:
HeadersPreviewResponseCookiesTiming
Request URL:http://subdomainB.mydomain.com/request
Request Method:POST
Status Code:200 OK
Request Headersview source
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Content-Length:1185
Content-type:application/x-www-form-urlencoded
Host:subdomainB.mydomain.com
Origin:http://subdomainA.mydomain.com
Referer:http://subdomainA.mydomain.com/BLABLABLA
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.8 (KHTML, like Gecko) Chrome/20.0.1105.0 Safari/536.8
Response:
Response Headersview source
Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0
Connection:Keep-Alive
Content-Language:fr-FR
Content-Type:application/json;charset=UTF-8
Date:Wed, 25 Apr 2012 07:59:03 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT, Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive:timeout=15, max=100
Pragma:no-cache
Server:Jetty(7.5.4.v20111024)
Set-Cookie:JSESSIONID=cookieValue;Path=/;Domain=.mydomain.com
Transfer-Encoding:chunked
635
Check out the OPTIONS response header ACCESS-CONTROL-ALLOW-CREDENTIAL whether it is set to true . If the server doesn't allow credentials being sent along, the browser will just not attach cookies and authorization headers. So this could be another reason why the cookies are missing in the POST cross-site request.
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.
The HTTP header Set-Cookie is a response header and used to send cookies from the server to the user agent. So the user agent can send them back to the server later so the server can detect the user.
According to the standards spec the correct syntax is:
set-cookie-header = "Set-Cookie:" SP set-cookie-string
set-cookie-string = cookie-pair *( ";" SP cookie-av )
cookie-pair = cookie-name "=" cookie-value
...
So it seems what you're missing is a space character after each semi-colon.
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
