i think i misunderstood the management of cookies with xmlhttprequest. I have a server that response to the XMLHttpRequest
made in javascript, my server returns Allow-Control-Access-Origin
, Access-Control-Allow-Headers
, Access-Control-Expose-Headers
and Access-Control-Allow-Credentials
headers with the correct value.
I'm doing a Digest Authenticate in a server with javascript, no problem in that, i receive ok the WWW-Authenticate
header from server, i process and send to the server the Authorization header with all the digest-response and everything ok.
The problem is, that when the digest-challenge is succesful, my server returns a Set-Cookie Header, i have to get it and add to the rest of all of my xhr request.
The browser (using Chromium and Chrome) not let me access to the header doing:
xhr.getResponseHeader("Set-Cookie");
Ok, in the XMLHTTPREQUEST Level 2 it says: "Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2" Ok, so i cant take it, but what are the ways? Using the Chrome Api for cookies (at the moment i dont read noting about it), but i want to do for a standard manner as posible. With the:
xhr.withCredentials = true;
means that the browser automatically get the set-cookie and send in cookie headers??
The default is false . XMLHttpRequest responses from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request.
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
XMLHttpRequest (XHR) objects are used to interact with servers. You can retrieve data from a URL without having to do a full page refresh. This enables a Web page to update just part of a page without disrupting what the user is doing. XMLHttpRequest is used heavily in AJAX programming.
If you set credentials to same-origin : Fetch will send 1st party cookies to its own server. It will not send cookies to other domains or subdomains. If you set credentials to include : Fetch will continue to send 1st party cookies to its own server.
From CORS spec http://www.w3.org/TR/cors/#make-a-request-steps:
Whenever the make a request steps are applied, fetch the request URL from origin source origin with the manual redirect flag set, and the block cookies flag set if the omit credentials flag is set. Use method request method, entity body request entity body, including the author request headers, and include user credentials if the omit credentials flag is unset. Exclude the Referer header if source origin is a globally unique identifier.
As you correctly says - cookies are added by browser if you use withCredentials
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With