Why is jquery's .ajax() method not sending my session cookie?
After logging in via $.ajax() to a site, I am trying to send a second $.ajax() request to that site - but when I check the headers sent using FireBug, there is no session cookie being included in the request.
What am I doing wrong?
jquery ajax session cookies
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
asked May 20 '10 at 0:44
user345625user345625
1,5913105
|
show 2 more comments
After logging in via $.ajax() to a site, I am trying to send a second $.ajax() request to that site - but when I check the headers sent using FireBug, there is no session cookie being included in the request.
What am I doing wrong?
jquery ajax session cookies
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
asked May 20 '10 at 0:44
user345625user345625
1,5913105
2
Cookie of ajax might come after the web cookie and FireBug might catch the first page cookie.
– Chris
May 20 '10 at 0:48
1
I did not get what u mean but I can say if I paste the request url in browser address bar and check Firebug again, I can see the cookie in headres sent to the server. Any solutions?
– user345625
May 20 '10 at 1:04
So, I think ajax will also handle same way browser does
– user345625
May 20 '10 at 1:05
What is the code you're using?
– Dean Harding
May 20 '10 at 1:06
the browser will still create cookies set by the server during a ajax request, jquery or otherwise. Did you check the response to the ajax request and ensure cookies came back from the server to be set? There could be a problem with the server code such that it is not even setting the cookie, etc.
– David
May 20 '10 at 1:27
|
show 2 more comments
After logging in via $.ajax() to a site, I am trying to send a second $.ajax() request to that site - but when I check the headers sent using FireBug, there is no session cookie being included in the request.
What am I doing wrong?
jquery ajax session cookies
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
asked May 20 '10 at 0:44
user345625user345625
1,5913105
After logging in via $.ajax() to a site, I am trying to send a second $.ajax() request to that site - but when I check the headers sent using FireBug, there is no session cookie being included in the request.
What am I doing wrong?
jquery ajax session cookies
jquery ajax session cookies
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
asked May 20 '10 at 0:44
user345625user345625
1,5913105
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
asked May 20 '10 at 0:44
user345625user345625
1,5913105
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
edited Nov 28 '12 at 22:12
Troy Alford
22.5k85572
22.5k85572
asked May 20 '10 at 0:44
user345625user345625
1,5913105
asked May 20 '10 at 0:44
user345625user345625
1,5913105
asked May 20 '10 at 0:44
user345625user345625
1,5913105
1,5913105
2
Cookie of ajax might come after the web cookie and FireBug might catch the first page cookie.
– Chris
May 20 '10 at 0:48
1
I did not get what u mean but I can say if I paste the request url in browser address bar and check Firebug again, I can see the cookie in headres sent to the server. Any solutions?
– user345625
May 20 '10 at 1:04
So, I think ajax will also handle same way browser does
– user345625
May 20 '10 at 1:05
What is the code you're using?
– Dean Harding
May 20 '10 at 1:06
the browser will still create cookies set by the server during a ajax request, jquery or otherwise. Did you check the response to the ajax request and ensure cookies came back from the server to be set? There could be a problem with the server code such that it is not even setting the cookie, etc.
– David
May 20 '10 at 1:27
|
show 2 more comments
2
Cookie of ajax might come after the web cookie and FireBug might catch the first page cookie.
– Chris
May 20 '10 at 0:48
1
I did not get what u mean but I can say if I paste the request url in browser address bar and check Firebug again, I can see the cookie in headres sent to the server. Any solutions?
– user345625
May 20 '10 at 1:04
So, I think ajax will also handle same way browser does
– user345625
May 20 '10 at 1:05
What is the code you're using?
– Dean Harding
May 20 '10 at 1:06
the browser will still create cookies set by the server during a ajax request, jquery or otherwise. Did you check the response to the ajax request and ensure cookies came back from the server to be set? There could be a problem with the server code such that it is not even setting the cookie, etc.
– David
May 20 '10 at 1:27
2
2
Cookie of ajax might come after the web cookie and FireBug might catch the first page cookie.
– Chris
May 20 '10 at 0:48
Cookie of ajax might come after the web cookie and FireBug might catch the first page cookie.
– Chris
May 20 '10 at 0:48
1
1
I did not get what u mean but I can say if I paste the request url in browser address bar and check Firebug again, I can see the cookie in headres sent to the server. Any solutions?
– user345625
May 20 '10 at 1:04
I did not get what u mean but I can say if I paste the request url in browser address bar and check Firebug again, I can see the cookie in headres sent to the server. Any solutions?
– user345625
May 20 '10 at 1:04
So, I think ajax will also handle same way browser does
– user345625
May 20 '10 at 1:05
So, I think ajax will also handle same way browser does
– user345625
May 20 '10 at 1:05
What is the code you're using?
– Dean Harding
May 20 '10 at 1:06
What is the code you're using?
– Dean Harding
May 20 '10 at 1:06
the browser will still create cookies set by the server during a ajax request, jquery or otherwise. Did you check the response to the ajax request and ensure cookies came back from the server to be set? There could be a problem with the server code such that it is not even setting the cookie, etc.
– David
May 20 '10 at 1:27
the browser will still create cookies set by the server during a ajax request, jquery or otherwise. Did you check the response to the ajax request and ensure cookies came back from the server to be set? There could be a problem with the server code such that it is not even setting the cookie, etc.
– David
May 20 '10 at 1:27
|
show 2 more comments
11 Answers
11
active
oldest
votes
AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script.
This may be a Cross Domain Problem.
Maybe you tried to call a url from www.domain-a.com while your calling script was on www.domain-b.com (In other words: You made a Cross Domain Call in which case the browser won't sent any cookies to protect your privacy).
In this case your options are:
- Write a small proxy which resides on domain-b and forwards your requests to domain-a. Your browser will allow you to call the proxy because it's on the same server as the calling script.
This proxy then can be configured by you to accept a cookie name and value parameter which it can send to domain-a. But for this to work you need to know the cookie's name and value your server on domain-a wants for authentication. - If you're fetching JSON objects try to use a JSONP request instead. jQuery supports these. But you need to alter your service on domain-a so that it returns valid JSONP responds.
Glad if that helped even a little bit.
edited Sep 14 '15 at 10:00
lord_t
2,06022146
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
16
It's also worth noting that cookies can be set to a specific path so if you cookie was set withpath=/somethingand you are requesting the page/anotherthen the cookie will not be sent. When you request the page/somethingthe cookie will be sent as expected. So check the code that sets the cookie as well.
– styfle
Jul 30 '13 at 20:45
2
does a jsonp request send coockies?
– albanx
Mar 23 '14 at 11:25
1
@albanx Yes, if the requirements I mentioned are set. It's just a normal request like any other and as such sends cookies.
– flu
Mar 24 '14 at 15:31
1
@albanx this other related question includes an example of how to do that JSONP request with custom cookies
– AntonioHerraizS
May 13 '14 at 16:17
4
According to JSONP on Wikipedia > this approach was abandoned in favour of CORS
– Peter Dotchev
Nov 5 '15 at 9:05
|
show 3 more comments
I am operating in cross-domain scenario. During login remote server is returning Set-Cookie header along with Access-Control-Allow-Credentials set to true.
The next ajax call to remote server should use this cookie.
CORS's Access-Control-Allow-Credentials is there to allow cross-domain logging. Check https://developer.mozilla.org/En/HTTP_access_control for examples.
For me it seems like a bug in JQuery (or at least feature-to-be in next version).
UPDATE:
Cookies are not set automatically from AJAX response (citation: http://aleembawany.com/2006/11/14/anatomy-of-a-well-designed-ajax-login-experience/)
Why?
You cannot get value of the cookie from response to set it manually (http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-getresponseheader)
I'm confused..
There should exist a way to ask
jquery.ajax()to setXMLHttpRequest.withCredentials = "true"parameter.
ANSWER:
You should use xhrFields param of http://api.jquery.com/jQuery.ajax/
The example in the documentation is:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
It's important as well that server answers correctly to this request. Copying here great comments from @Frédéric and @Pebbl:
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *
So when the request is:
Origin: http://foo.example
Cookie: pageAccess=2
Server should respond with:
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Credentials: true
[payload]
Otherwise payload won't be returned to script. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
7
Great ! I add to use this + set Access-Control-Allow-Credentials header to true on server side
– Frédéric
Nov 29 '12 at 12:26
and where do I set those Credentials ?, at the Header Autorization ?, at the request body ?
– Francisco Corrales Morales
Mar 20 '14 at 21:25
1
More here html5rocks.com/en/tutorials/cors
– Dmitry Minkovsky
May 9 '14 at 15:17
3
Thanks for the answer :) just a quick addition, it might be worth mentioningImportant note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *developer.mozilla.org/en-US/docs/Web/HTTP/…
– Pebbl
Aug 27 '14 at 16:52
None of this worked for me unfortunately. If I run the same request from AngularJS it works, but from jQuery, even with these suggestions the session Cookie is not passed. (jQuery v2.1.1)
– geoidesic
May 14 '16 at 18:29
|
show 3 more comments
Using
xhrFields: { withCredentials:true }
as part of my jQuery ajax call was only part of the solution. I also needed to have the headers returned in the OPTIONS response from my resource:
Access-Control-Allow-Origin : http://www.wombling.com
Access-Control-Allow-Credentials : true
It was important that only one allowed "origin" was in the response header of the OPTIONS call and not "*". I achieved this by reading the origin from the request and populating it back into the response - probably circumventing the original reason for the restriction, but in my use case the security is not paramount.
I thought it worth explicitly mentioning the requirement for only one origin, as the W3C standard does allow for a space separated list -but Chrome doesn't!
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
NB the "in practice" bit.
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
add a comment |
Put this in your init function:
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});
It will work.
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
You saved my day! On the method level withCredentials didn't work for me. But globaly like this it finally works! Thanks.
– Paulius Matulionis
Apr 10 '15 at 10:54
add a comment |
There are already a lot of good responses to this question, but I thought it may be helpful to clarify the case where you would expect the session cookie to be sent because the cookie domain matches, but it is not getting sent because the AJAX request is being made to a different subdomain. In this case, I have a cookie that is assigned to the *.mydomain.com domain, and I am wanting it to be included in an AJAX request to different.mydomain.com". By default, the cookie does not get sent. You do not need to disable HTTPONLY on the session cookie to resolve this issue. You only need to do what wombling suggested (https://stackoverflow.com/a/23660618/545223) and do the following.
1) Add the following to your ajax request.
xhrFields: { withCredentials:true }
2) Add the following to your response headers for resources in the different subdomain.
Access-Control-Allow-Origin : http://original.mydomain.com
Access-Control-Allow-Credentials : true
edited May 23 '17 at 12:26
Community♦
11
answered May 20 '14 at 23:03
munchbitmunchbit
470510
add a comment |
After trying out the other solutions and still not getting it to work, I found out what the problem was in my case. I changed contentType from "application/json" to "text/plain".
$.ajax(fullUrl, {
type: "GET",
contentType: "text/plain",
xhrFields: {
withCredentials: true
},
crossDomain: true
});
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
add a comment |
I was having this same problem and doing some checks my script was just simply not getting the sessionid cookie.
I figured out by looking at the sessionid cookie value in the browser that my framework (Django) was passing the sessionid cookie with HttpOnly as default. This meant that scripts did not have access to the sessionid value and therefore were not passing it along with requests. Kind of ridiculous that HttpOnly would be the default value when so many things use Ajax which would require access restriction.
To fix this I changed a setting (SESSION_COOKIE_HTTPONLY=False) but in other cases it may be a "HttpOnly" flag on the cookie path
answered Oct 12 '13 at 17:16
wiwawiwa
445
blog.codinghorror.com/protecting-your-cookies-httponly
– TechSavvySam
Feb 17 '17 at 3:12
1
Do NOT do this. It allows client side script access to the session cookie which is the most common XSS attack vector. owasp.org/index.php/HttpOnly
– Jason Elkin
May 9 '17 at 14:42
add a comment |
If you are developing on localhost or a port on localhost such as localhost:8080, in addition to the steps described in the answers above, you also need to ensure that you are not passing a domain value in the Set-Cookie header.
You cannot set the domain to localhost in the Set-Cookie header - that's incorrect - just omit the domain.
See Cookies on localhost with explicit domain and Why won't asp.net create cookies in localhost?
edited May 23 '17 at 11:55
Community♦
11
answered Jul 11 '15 at 9:17
jitinjitin
619713
Can you show sample code
– Meas
Feb 21 at 5:35
add a comment |
Just my 2 cents on setting PHPSESSID cookie issue when on localhost and under dev environment. I make the AJAX call to my REST API endpoint on the locahost. Say its address is mysite.localhost/api/member/login/ (virtal host on my dev environment).
When I do this request on Postman, things go fine and PHPSESSID is set with the response.
When I request this endpoint via AJAX from the Browsersync proxied page (e.g. from
122.133.1.110:3000/test/api/login.phpin my browser address line, see the domain is different vsmysite.localhost) PHPSESSID does not appear among cookies.When I make this request directly from the page on the same domain (i.e.
mysite.localhost/test/api/login.php) PHPSESSID is set just fine.
So this is a cross-origin origin request cookies issue as mentioned in @flu answer above
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
add a comment |
You have to initialize the session before you trying to login.
For php, you have to do
session_start();
on the page from where you start the login ajax call.
So that the SESSIONID will be created and stored the browser cookie. And sent along with request header during the ajax call, if you do the ajax request to the same domain
For the successive ajax calls browser will use the SESSIONID that created and stored initially in browser cookie, unless we clear the browser cookie or do logout (or set another cookie)
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
add a comment |
Perhaps not 100% answering the question, but i stumbled onto this thread in the hope of solving a session problem when ajax-posting a fileupload from the assetmanager of the innovastudio editor.
Eventually the solution was simple: they have a flash-uploader. Disabling that (setting
var flashUpload = false;
in asset.php) and the lights started blinking again.
As these problems can be very hard to debug i found that putting something like the following in the upload handler will set you (well, me in this case) on the right track:
$sn=session_name();
error_log("session_name: $sn ");
if(isset($_GET[$sn])) error_log("session as GET param");
if(isset($_POST[$sn])) error_log("session as POST param");
if(isset($_COOKIE[$sn])) error_log("session as Cookie");
if(isset($PHPSESSID)) error_log("session as Global");
A dive into the log and I quickly spotted the missing session, where no cookie was sent.
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
I don't think the example above would work, because when there's no session cookie, what would the value of $sn be? (a random one, or maybe null), alternatively users could set session_name from a GET value for examplesession_name(isset($_GET['sess']) ? $_GET['sess'] : null);session_start();this way, they'd get a working thing
– Steel Brain
Dec 21 '14 at 2:30
That is exactly how i found the problem: no session when posting from this flash uploader thingy. As using a GET variable session identifier is a bad idea, and the cookie was not working, i threw it out. Who cares, flash is a thing of the past anyways.
– Ellert van Koperen
Dec 22 '14 at 12:22
add a comment |
protected by Community♦ Sep 25 '15 at 18:16
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
11 Answers
11
active
oldest
votes
11 Answers
11
active
oldest
votes
active
oldest
votes
active
oldest
votes
AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script.
This may be a Cross Domain Problem.
Maybe you tried to call a url from www.domain-a.com while your calling script was on www.domain-b.com (In other words: You made a Cross Domain Call in which case the browser won't sent any cookies to protect your privacy).
In this case your options are:
- Write a small proxy which resides on domain-b and forwards your requests to domain-a. Your browser will allow you to call the proxy because it's on the same server as the calling script.
This proxy then can be configured by you to accept a cookie name and value parameter which it can send to domain-a. But for this to work you need to know the cookie's name and value your server on domain-a wants for authentication. - If you're fetching JSON objects try to use a JSONP request instead. jQuery supports these. But you need to alter your service on domain-a so that it returns valid JSONP responds.
Glad if that helped even a little bit.
edited Sep 14 '15 at 10:00
lord_t
2,06022146
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
16
It's also worth noting that cookies can be set to a specific path so if you cookie was set withpath=/somethingand you are requesting the page/anotherthen the cookie will not be sent. When you request the page/somethingthe cookie will be sent as expected. So check the code that sets the cookie as well.
– styfle
Jul 30 '13 at 20:45
2
does a jsonp request send coockies?
– albanx
Mar 23 '14 at 11:25
1
@albanx Yes, if the requirements I mentioned are set. It's just a normal request like any other and as such sends cookies.
– flu
Mar 24 '14 at 15:31
1
@albanx this other related question includes an example of how to do that JSONP request with custom cookies
– AntonioHerraizS
May 13 '14 at 16:17
4
According to JSONP on Wikipedia > this approach was abandoned in favour of CORS
– Peter Dotchev
Nov 5 '15 at 9:05
|
show 3 more comments
AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script.
This may be a Cross Domain Problem.
Maybe you tried to call a url from www.domain-a.com while your calling script was on www.domain-b.com (In other words: You made a Cross Domain Call in which case the browser won't sent any cookies to protect your privacy).
In this case your options are:
- Write a small proxy which resides on domain-b and forwards your requests to domain-a. Your browser will allow you to call the proxy because it's on the same server as the calling script.
This proxy then can be configured by you to accept a cookie name and value parameter which it can send to domain-a. But for this to work you need to know the cookie's name and value your server on domain-a wants for authentication. - If you're fetching JSON objects try to use a JSONP request instead. jQuery supports these. But you need to alter your service on domain-a so that it returns valid JSONP responds.
Glad if that helped even a little bit.
edited Sep 14 '15 at 10:00
lord_t
2,06022146
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
16
It's also worth noting that cookies can be set to a specific path so if you cookie was set withpath=/somethingand you are requesting the page/anotherthen the cookie will not be sent. When you request the page/somethingthe cookie will be sent as expected. So check the code that sets the cookie as well.
– styfle
Jul 30 '13 at 20:45
2
does a jsonp request send coockies?
– albanx
Mar 23 '14 at 11:25
1
@albanx Yes, if the requirements I mentioned are set. It's just a normal request like any other and as such sends cookies.
– flu
Mar 24 '14 at 15:31
1
@albanx this other related question includes an example of how to do that JSONP request with custom cookies
– AntonioHerraizS
May 13 '14 at 16:17
4
According to JSONP on Wikipedia > this approach was abandoned in favour of CORS
– Peter Dotchev
Nov 5 '15 at 9:05
|
show 3 more comments
AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script.
This may be a Cross Domain Problem.
Maybe you tried to call a url from www.domain-a.com while your calling script was on www.domain-b.com (In other words: You made a Cross Domain Call in which case the browser won't sent any cookies to protect your privacy).
In this case your options are:
- Write a small proxy which resides on domain-b and forwards your requests to domain-a. Your browser will allow you to call the proxy because it's on the same server as the calling script.
This proxy then can be configured by you to accept a cookie name and value parameter which it can send to domain-a. But for this to work you need to know the cookie's name and value your server on domain-a wants for authentication. - If you're fetching JSON objects try to use a JSONP request instead. jQuery supports these. But you need to alter your service on domain-a so that it returns valid JSONP responds.
Glad if that helped even a little bit.
edited Sep 14 '15 at 10:00
lord_t
2,06022146
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script.
This may be a Cross Domain Problem.
Maybe you tried to call a url from www.domain-a.com while your calling script was on www.domain-b.com (In other words: You made a Cross Domain Call in which case the browser won't sent any cookies to protect your privacy).
In this case your options are:
- Write a small proxy which resides on domain-b and forwards your requests to domain-a. Your browser will allow you to call the proxy because it's on the same server as the calling script.
This proxy then can be configured by you to accept a cookie name and value parameter which it can send to domain-a. But for this to work you need to know the cookie's name and value your server on domain-a wants for authentication. - If you're fetching JSON objects try to use a JSONP request instead. jQuery supports these. But you need to alter your service on domain-a so that it returns valid JSONP responds.
Glad if that helped even a little bit.
edited Sep 14 '15 at 10:00
lord_t
2,06022146
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
edited Sep 14 '15 at 10:00
lord_t
2,06022146
edited Sep 14 '15 at 10:00
lord_t
2,06022146
edited Sep 14 '15 at 10:00
lord_t
2,06022146
2,06022146
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
answered Mar 24 '11 at 16:23
fluflu
10.4k75964
10.4k75964
16
It's also worth noting that cookies can be set to a specific path so if you cookie was set withpath=/somethingand you are requesting the page/anotherthen the cookie will not be sent. When you request the page/somethingthe cookie will be sent as expected. So check the code that sets the cookie as well.
– styfle
Jul 30 '13 at 20:45
2
does a jsonp request send coockies?
– albanx
Mar 23 '14 at 11:25
1
@albanx Yes, if the requirements I mentioned are set. It's just a normal request like any other and as such sends cookies.
– flu
Mar 24 '14 at 15:31
1
@albanx this other related question includes an example of how to do that JSONP request with custom cookies
– AntonioHerraizS
May 13 '14 at 16:17
4
According to JSONP on Wikipedia > this approach was abandoned in favour of CORS
– Peter Dotchev
Nov 5 '15 at 9:05
|
show 3 more comments
16
It's also worth noting that cookies can be set to a specific path so if you cookie was set withpath=/somethingand you are requesting the page/anotherthen the cookie will not be sent. When you request the page/somethingthe cookie will be sent as expected. So check the code that sets the cookie as well.
– styfle
Jul 30 '13 at 20:45
2
does a jsonp request send coockies?
– albanx
Mar 23 '14 at 11:25
1
@albanx Yes, if the requirements I mentioned are set. It's just a normal request like any other and as such sends cookies.
– flu
Mar 24 '14 at 15:31
1
@albanx this other related question includes an example of how to do that JSONP request with custom cookies
– AntonioHerraizS
May 13 '14 at 16:17
4
According to JSONP on Wikipedia > this approach was abandoned in favour of CORS
– Peter Dotchev
Nov 5 '15 at 9:05
16
16
It's also worth noting that cookies can be set to a specific path so if you cookie was set with
path=/something and you are requesting the page /another then the cookie will not be sent. When you request the page /something the cookie will be sent as expected. So check the code that sets the cookie as well.– styfle
Jul 30 '13 at 20:45
It's also worth noting that cookies can be set to a specific path so if you cookie was set with
path=/something and you are requesting the page /another then the cookie will not be sent. When you request the page /something the cookie will be sent as expected. So check the code that sets the cookie as well.– styfle
Jul 30 '13 at 20:45
2
2
does a jsonp request send coockies?
– albanx
Mar 23 '14 at 11:25
does a jsonp request send coockies?
– albanx
Mar 23 '14 at 11:25
1
1
@albanx Yes, if the requirements I mentioned are set. It's just a normal request like any other and as such sends cookies.
– flu
Mar 24 '14 at 15:31
@albanx Yes, if the requirements I mentioned are set. It's just a normal request like any other and as such sends cookies.
– flu
Mar 24 '14 at 15:31
1
1
@albanx this other related question includes an example of how to do that JSONP request with custom cookies
– AntonioHerraizS
May 13 '14 at 16:17
@albanx this other related question includes an example of how to do that JSONP request with custom cookies
– AntonioHerraizS
May 13 '14 at 16:17
4
4
According to JSONP on Wikipedia > this approach was abandoned in favour of CORS
– Peter Dotchev
Nov 5 '15 at 9:05
According to JSONP on Wikipedia > this approach was abandoned in favour of CORS
– Peter Dotchev
Nov 5 '15 at 9:05
|
show 3 more comments
I am operating in cross-domain scenario. During login remote server is returning Set-Cookie header along with Access-Control-Allow-Credentials set to true.
The next ajax call to remote server should use this cookie.
CORS's Access-Control-Allow-Credentials is there to allow cross-domain logging. Check https://developer.mozilla.org/En/HTTP_access_control for examples.
For me it seems like a bug in JQuery (or at least feature-to-be in next version).
UPDATE:
Cookies are not set automatically from AJAX response (citation: http://aleembawany.com/2006/11/14/anatomy-of-a-well-designed-ajax-login-experience/)
Why?
You cannot get value of the cookie from response to set it manually (http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-getresponseheader)
I'm confused..
There should exist a way to ask
jquery.ajax()to setXMLHttpRequest.withCredentials = "true"parameter.
ANSWER:
You should use xhrFields param of http://api.jquery.com/jQuery.ajax/
The example in the documentation is:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
It's important as well that server answers correctly to this request. Copying here great comments from @Frédéric and @Pebbl:
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *
So when the request is:
Origin: http://foo.example
Cookie: pageAccess=2
Server should respond with:
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Credentials: true
[payload]
Otherwise payload won't be returned to script. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
7
Great ! I add to use this + set Access-Control-Allow-Credentials header to true on server side
– Frédéric
Nov 29 '12 at 12:26
and where do I set those Credentials ?, at the Header Autorization ?, at the request body ?
– Francisco Corrales Morales
Mar 20 '14 at 21:25
1
More here html5rocks.com/en/tutorials/cors
– Dmitry Minkovsky
May 9 '14 at 15:17
3
Thanks for the answer :) just a quick addition, it might be worth mentioningImportant note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *developer.mozilla.org/en-US/docs/Web/HTTP/…
– Pebbl
Aug 27 '14 at 16:52
None of this worked for me unfortunately. If I run the same request from AngularJS it works, but from jQuery, even with these suggestions the session Cookie is not passed. (jQuery v2.1.1)
– geoidesic
May 14 '16 at 18:29
|
show 3 more comments
I am operating in cross-domain scenario. During login remote server is returning Set-Cookie header along with Access-Control-Allow-Credentials set to true.
The next ajax call to remote server should use this cookie.
CORS's Access-Control-Allow-Credentials is there to allow cross-domain logging. Check https://developer.mozilla.org/En/HTTP_access_control for examples.
For me it seems like a bug in JQuery (or at least feature-to-be in next version).
UPDATE:
Cookies are not set automatically from AJAX response (citation: http://aleembawany.com/2006/11/14/anatomy-of-a-well-designed-ajax-login-experience/)
Why?
You cannot get value of the cookie from response to set it manually (http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-getresponseheader)
I'm confused..
There should exist a way to ask
jquery.ajax()to setXMLHttpRequest.withCredentials = "true"parameter.
ANSWER:
You should use xhrFields param of http://api.jquery.com/jQuery.ajax/
The example in the documentation is:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
It's important as well that server answers correctly to this request. Copying here great comments from @Frédéric and @Pebbl:
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *
So when the request is:
Origin: http://foo.example
Cookie: pageAccess=2
Server should respond with:
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Credentials: true
[payload]
Otherwise payload won't be returned to script. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
7
Great ! I add to use this + set Access-Control-Allow-Credentials header to true on server side
– Frédéric
Nov 29 '12 at 12:26
and where do I set those Credentials ?, at the Header Autorization ?, at the request body ?
– Francisco Corrales Morales
Mar 20 '14 at 21:25
1
More here html5rocks.com/en/tutorials/cors
– Dmitry Minkovsky
May 9 '14 at 15:17
3
Thanks for the answer :) just a quick addition, it might be worth mentioningImportant note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *developer.mozilla.org/en-US/docs/Web/HTTP/…
– Pebbl
Aug 27 '14 at 16:52
None of this worked for me unfortunately. If I run the same request from AngularJS it works, but from jQuery, even with these suggestions the session Cookie is not passed. (jQuery v2.1.1)
– geoidesic
May 14 '16 at 18:29
|
show 3 more comments
I am operating in cross-domain scenario. During login remote server is returning Set-Cookie header along with Access-Control-Allow-Credentials set to true.
The next ajax call to remote server should use this cookie.
CORS's Access-Control-Allow-Credentials is there to allow cross-domain logging. Check https://developer.mozilla.org/En/HTTP_access_control for examples.
For me it seems like a bug in JQuery (or at least feature-to-be in next version).
UPDATE:
Cookies are not set automatically from AJAX response (citation: http://aleembawany.com/2006/11/14/anatomy-of-a-well-designed-ajax-login-experience/)
Why?
You cannot get value of the cookie from response to set it manually (http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-getresponseheader)
I'm confused..
There should exist a way to ask
jquery.ajax()to setXMLHttpRequest.withCredentials = "true"parameter.
ANSWER:
You should use xhrFields param of http://api.jquery.com/jQuery.ajax/
The example in the documentation is:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
It's important as well that server answers correctly to this request. Copying here great comments from @Frédéric and @Pebbl:
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *
So when the request is:
Origin: http://foo.example
Cookie: pageAccess=2
Server should respond with:
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Credentials: true
[payload]
Otherwise payload won't be returned to script. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
I am operating in cross-domain scenario. During login remote server is returning Set-Cookie header along with Access-Control-Allow-Credentials set to true.
The next ajax call to remote server should use this cookie.
CORS's Access-Control-Allow-Credentials is there to allow cross-domain logging. Check https://developer.mozilla.org/En/HTTP_access_control for examples.
For me it seems like a bug in JQuery (or at least feature-to-be in next version).
UPDATE:
Cookies are not set automatically from AJAX response (citation: http://aleembawany.com/2006/11/14/anatomy-of-a-well-designed-ajax-login-experience/)
Why?
You cannot get value of the cookie from response to set it manually (http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-getresponseheader)
I'm confused..
There should exist a way to ask
jquery.ajax()to setXMLHttpRequest.withCredentials = "true"parameter.
ANSWER:
You should use xhrFields param of http://api.jquery.com/jQuery.ajax/
The example in the documentation is:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
It's important as well that server answers correctly to this request. Copying here great comments from @Frédéric and @Pebbl:
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *
So when the request is:
Origin: http://foo.example
Cookie: pageAccess=2
Server should respond with:
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Credentials: true
[payload]
Otherwise payload won't be returned to script. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
edited Mar 5 '16 at 17:51
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
answered Aug 25 '11 at 11:22
KangurKangur
6,04231824
6,04231824
7
Great ! I add to use this + set Access-Control-Allow-Credentials header to true on server side
– Frédéric
Nov 29 '12 at 12:26
and where do I set those Credentials ?, at the Header Autorization ?, at the request body ?
– Francisco Corrales Morales
Mar 20 '14 at 21:25
1
More here html5rocks.com/en/tutorials/cors
– Dmitry Minkovsky
May 9 '14 at 15:17
3
Thanks for the answer :) just a quick addition, it might be worth mentioningImportant note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *developer.mozilla.org/en-US/docs/Web/HTTP/…
– Pebbl
Aug 27 '14 at 16:52
None of this worked for me unfortunately. If I run the same request from AngularJS it works, but from jQuery, even with these suggestions the session Cookie is not passed. (jQuery v2.1.1)
– geoidesic
May 14 '16 at 18:29
|
show 3 more comments
7
Great ! I add to use this + set Access-Control-Allow-Credentials header to true on server side
– Frédéric
Nov 29 '12 at 12:26
and where do I set those Credentials ?, at the Header Autorization ?, at the request body ?
– Francisco Corrales Morales
Mar 20 '14 at 21:25
1
More here html5rocks.com/en/tutorials/cors
– Dmitry Minkovsky
May 9 '14 at 15:17
3
Thanks for the answer :) just a quick addition, it might be worth mentioningImportant note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *developer.mozilla.org/en-US/docs/Web/HTTP/…
– Pebbl
Aug 27 '14 at 16:52
None of this worked for me unfortunately. If I run the same request from AngularJS it works, but from jQuery, even with these suggestions the session Cookie is not passed. (jQuery v2.1.1)
– geoidesic
May 14 '16 at 18:29
7
7
Great ! I add to use this + set Access-Control-Allow-Credentials header to true on server side
– Frédéric
Nov 29 '12 at 12:26
Great ! I add to use this + set Access-Control-Allow-Credentials header to true on server side
– Frédéric
Nov 29 '12 at 12:26
and where do I set those Credentials ?, at the Header Autorization ?, at the request body ?
– Francisco Corrales Morales
Mar 20 '14 at 21:25
and where do I set those Credentials ?, at the Header Autorization ?, at the request body ?
– Francisco Corrales Morales
Mar 20 '14 at 21:25
1
1
More here html5rocks.com/en/tutorials/cors
– Dmitry Minkovsky
May 9 '14 at 15:17
More here html5rocks.com/en/tutorials/cors
– Dmitry Minkovsky
May 9 '14 at 15:17
3
3
Thanks for the answer :) just a quick addition, it might be worth mentioning
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: * developer.mozilla.org/en-US/docs/Web/HTTP/…– Pebbl
Aug 27 '14 at 16:52
Thanks for the answer :) just a quick addition, it might be worth mentioning
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: * developer.mozilla.org/en-US/docs/Web/HTTP/…– Pebbl
Aug 27 '14 at 16:52
None of this worked for me unfortunately. If I run the same request from AngularJS it works, but from jQuery, even with these suggestions the session Cookie is not passed. (jQuery v2.1.1)
– geoidesic
May 14 '16 at 18:29
None of this worked for me unfortunately. If I run the same request from AngularJS it works, but from jQuery, even with these suggestions the session Cookie is not passed. (jQuery v2.1.1)
– geoidesic
May 14 '16 at 18:29
|
show 3 more comments
Using
xhrFields: { withCredentials:true }
as part of my jQuery ajax call was only part of the solution. I also needed to have the headers returned in the OPTIONS response from my resource:
Access-Control-Allow-Origin : http://www.wombling.com
Access-Control-Allow-Credentials : true
It was important that only one allowed "origin" was in the response header of the OPTIONS call and not "*". I achieved this by reading the origin from the request and populating it back into the response - probably circumventing the original reason for the restriction, but in my use case the security is not paramount.
I thought it worth explicitly mentioning the requirement for only one origin, as the W3C standard does allow for a space separated list -but Chrome doesn't!
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
NB the "in practice" bit.
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
add a comment |
Using
xhrFields: { withCredentials:true }
as part of my jQuery ajax call was only part of the solution. I also needed to have the headers returned in the OPTIONS response from my resource:
Access-Control-Allow-Origin : http://www.wombling.com
Access-Control-Allow-Credentials : true
It was important that only one allowed "origin" was in the response header of the OPTIONS call and not "*". I achieved this by reading the origin from the request and populating it back into the response - probably circumventing the original reason for the restriction, but in my use case the security is not paramount.
I thought it worth explicitly mentioning the requirement for only one origin, as the W3C standard does allow for a space separated list -but Chrome doesn't!
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
NB the "in practice" bit.
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
add a comment |
Using
xhrFields: { withCredentials:true }
as part of my jQuery ajax call was only part of the solution. I also needed to have the headers returned in the OPTIONS response from my resource:
Access-Control-Allow-Origin : http://www.wombling.com
Access-Control-Allow-Credentials : true
It was important that only one allowed "origin" was in the response header of the OPTIONS call and not "*". I achieved this by reading the origin from the request and populating it back into the response - probably circumventing the original reason for the restriction, but in my use case the security is not paramount.
I thought it worth explicitly mentioning the requirement for only one origin, as the W3C standard does allow for a space separated list -but Chrome doesn't!
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
NB the "in practice" bit.
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
Using
xhrFields: { withCredentials:true }
as part of my jQuery ajax call was only part of the solution. I also needed to have the headers returned in the OPTIONS response from my resource:
Access-Control-Allow-Origin : http://www.wombling.com
Access-Control-Allow-Credentials : true
It was important that only one allowed "origin" was in the response header of the OPTIONS call and not "*". I achieved this by reading the origin from the request and populating it back into the response - probably circumventing the original reason for the restriction, but in my use case the security is not paramount.
I thought it worth explicitly mentioning the requirement for only one origin, as the W3C standard does allow for a space separated list -but Chrome doesn't!
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
NB the "in practice" bit.
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
answered May 14 '14 at 16:50
wombling - Chris Painewombling - Chris Paine
1,0031114
1,0031114
add a comment |
add a comment |
Put this in your init function:
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});
It will work.
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
You saved my day! On the method level withCredentials didn't work for me. But globaly like this it finally works! Thanks.
– Paulius Matulionis
Apr 10 '15 at 10:54
add a comment |
Put this in your init function:
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});
It will work.
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
You saved my day! On the method level withCredentials didn't work for me. But globaly like this it finally works! Thanks.
– Paulius Matulionis
Apr 10 '15 at 10:54
add a comment |
Put this in your init function:
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});
It will work.
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
Put this in your init function:
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});
It will work.
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
edited Mar 22 '15 at 11:20
Daniel Kmak
13.6k64571
13.6k64571
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
answered Mar 19 '15 at 7:08
Alex AthlanAlex Athlan
38933
38933
You saved my day! On the method level withCredentials didn't work for me. But globaly like this it finally works! Thanks.
– Paulius Matulionis
Apr 10 '15 at 10:54
add a comment |
You saved my day! On the method level withCredentials didn't work for me. But globaly like this it finally works! Thanks.
– Paulius Matulionis
Apr 10 '15 at 10:54
You saved my day! On the method level withCredentials didn't work for me. But globaly like this it finally works! Thanks.
– Paulius Matulionis
Apr 10 '15 at 10:54
You saved my day! On the method level withCredentials didn't work for me. But globaly like this it finally works! Thanks.
– Paulius Matulionis
Apr 10 '15 at 10:54
add a comment |
There are already a lot of good responses to this question, but I thought it may be helpful to clarify the case where you would expect the session cookie to be sent because the cookie domain matches, but it is not getting sent because the AJAX request is being made to a different subdomain. In this case, I have a cookie that is assigned to the *.mydomain.com domain, and I am wanting it to be included in an AJAX request to different.mydomain.com". By default, the cookie does not get sent. You do not need to disable HTTPONLY on the session cookie to resolve this issue. You only need to do what wombling suggested (https://stackoverflow.com/a/23660618/545223) and do the following.
1) Add the following to your ajax request.
xhrFields: { withCredentials:true }
2) Add the following to your response headers for resources in the different subdomain.
Access-Control-Allow-Origin : http://original.mydomain.com
Access-Control-Allow-Credentials : true
edited May 23 '17 at 12:26
Community♦
11
answered May 20 '14 at 23:03
munchbitmunchbit
470510
add a comment |
There are already a lot of good responses to this question, but I thought it may be helpful to clarify the case where you would expect the session cookie to be sent because the cookie domain matches, but it is not getting sent because the AJAX request is being made to a different subdomain. In this case, I have a cookie that is assigned to the *.mydomain.com domain, and I am wanting it to be included in an AJAX request to different.mydomain.com". By default, the cookie does not get sent. You do not need to disable HTTPONLY on the session cookie to resolve this issue. You only need to do what wombling suggested (https://stackoverflow.com/a/23660618/545223) and do the following.
1) Add the following to your ajax request.
xhrFields: { withCredentials:true }
2) Add the following to your response headers for resources in the different subdomain.
Access-Control-Allow-Origin : http://original.mydomain.com
Access-Control-Allow-Credentials : true
edited May 23 '17 at 12:26
Community♦
11
answered May 20 '14 at 23:03
munchbitmunchbit
470510
add a comment |
There are already a lot of good responses to this question, but I thought it may be helpful to clarify the case where you would expect the session cookie to be sent because the cookie domain matches, but it is not getting sent because the AJAX request is being made to a different subdomain. In this case, I have a cookie that is assigned to the *.mydomain.com domain, and I am wanting it to be included in an AJAX request to different.mydomain.com". By default, the cookie does not get sent. You do not need to disable HTTPONLY on the session cookie to resolve this issue. You only need to do what wombling suggested (https://stackoverflow.com/a/23660618/545223) and do the following.
1) Add the following to your ajax request.
xhrFields: { withCredentials:true }
2) Add the following to your response headers for resources in the different subdomain.
Access-Control-Allow-Origin : http://original.mydomain.com
Access-Control-Allow-Credentials : true
edited May 23 '17 at 12:26
Community♦
11
answered May 20 '14 at 23:03
munchbitmunchbit
470510
There are already a lot of good responses to this question, but I thought it may be helpful to clarify the case where you would expect the session cookie to be sent because the cookie domain matches, but it is not getting sent because the AJAX request is being made to a different subdomain. In this case, I have a cookie that is assigned to the *.mydomain.com domain, and I am wanting it to be included in an AJAX request to different.mydomain.com". By default, the cookie does not get sent. You do not need to disable HTTPONLY on the session cookie to resolve this issue. You only need to do what wombling suggested (https://stackoverflow.com/a/23660618/545223) and do the following.
1) Add the following to your ajax request.
xhrFields: { withCredentials:true }
2) Add the following to your response headers for resources in the different subdomain.
Access-Control-Allow-Origin : http://original.mydomain.com
Access-Control-Allow-Credentials : true
edited May 23 '17 at 12:26
Community♦
11
answered May 20 '14 at 23:03
munchbitmunchbit
470510
edited May 23 '17 at 12:26
Community♦
11
edited May 23 '17 at 12:26
Community♦
11
edited May 23 '17 at 12:26
Community♦
11
11
answered May 20 '14 at 23:03
munchbitmunchbit
470510
answered May 20 '14 at 23:03
munchbitmunchbit
470510
answered May 20 '14 at 23:03
munchbitmunchbit
470510
470510
add a comment |
add a comment |
After trying out the other solutions and still not getting it to work, I found out what the problem was in my case. I changed contentType from "application/json" to "text/plain".
$.ajax(fullUrl, {
type: "GET",
contentType: "text/plain",
xhrFields: {
withCredentials: true
},
crossDomain: true
});
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
add a comment |
After trying out the other solutions and still not getting it to work, I found out what the problem was in my case. I changed contentType from "application/json" to "text/plain".
$.ajax(fullUrl, {
type: "GET",
contentType: "text/plain",
xhrFields: {
withCredentials: true
},
crossDomain: true
});
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
add a comment |
After trying out the other solutions and still not getting it to work, I found out what the problem was in my case. I changed contentType from "application/json" to "text/plain".
$.ajax(fullUrl, {
type: "GET",
contentType: "text/plain",
xhrFields: {
withCredentials: true
},
crossDomain: true
});
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
After trying out the other solutions and still not getting it to work, I found out what the problem was in my case. I changed contentType from "application/json" to "text/plain".
$.ajax(fullUrl, {
type: "GET",
contentType: "text/plain",
xhrFields: {
withCredentials: true
},
crossDomain: true
});
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
answered Feb 23 '18 at 9:31
Janno TeelemJanno Teelem
945
945
add a comment |
add a comment |
I was having this same problem and doing some checks my script was just simply not getting the sessionid cookie.
I figured out by looking at the sessionid cookie value in the browser that my framework (Django) was passing the sessionid cookie with HttpOnly as default. This meant that scripts did not have access to the sessionid value and therefore were not passing it along with requests. Kind of ridiculous that HttpOnly would be the default value when so many things use Ajax which would require access restriction.
To fix this I changed a setting (SESSION_COOKIE_HTTPONLY=False) but in other cases it may be a "HttpOnly" flag on the cookie path
answered Oct 12 '13 at 17:16
wiwawiwa
445
blog.codinghorror.com/protecting-your-cookies-httponly
– TechSavvySam
Feb 17 '17 at 3:12
1
Do NOT do this. It allows client side script access to the session cookie which is the most common XSS attack vector. owasp.org/index.php/HttpOnly
– Jason Elkin
May 9 '17 at 14:42
add a comment |
I was having this same problem and doing some checks my script was just simply not getting the sessionid cookie.
I figured out by looking at the sessionid cookie value in the browser that my framework (Django) was passing the sessionid cookie with HttpOnly as default. This meant that scripts did not have access to the sessionid value and therefore were not passing it along with requests. Kind of ridiculous that HttpOnly would be the default value when so many things use Ajax which would require access restriction.
To fix this I changed a setting (SESSION_COOKIE_HTTPONLY=False) but in other cases it may be a "HttpOnly" flag on the cookie path
answered Oct 12 '13 at 17:16
wiwawiwa
445
blog.codinghorror.com/protecting-your-cookies-httponly
– TechSavvySam
Feb 17 '17 at 3:12
1
Do NOT do this. It allows client side script access to the session cookie which is the most common XSS attack vector. owasp.org/index.php/HttpOnly
– Jason Elkin
May 9 '17 at 14:42
add a comment |
I was having this same problem and doing some checks my script was just simply not getting the sessionid cookie.
I figured out by looking at the sessionid cookie value in the browser that my framework (Django) was passing the sessionid cookie with HttpOnly as default. This meant that scripts did not have access to the sessionid value and therefore were not passing it along with requests. Kind of ridiculous that HttpOnly would be the default value when so many things use Ajax which would require access restriction.
To fix this I changed a setting (SESSION_COOKIE_HTTPONLY=False) but in other cases it may be a "HttpOnly" flag on the cookie path
answered Oct 12 '13 at 17:16
wiwawiwa
445
I was having this same problem and doing some checks my script was just simply not getting the sessionid cookie.
I figured out by looking at the sessionid cookie value in the browser that my framework (Django) was passing the sessionid cookie with HttpOnly as default. This meant that scripts did not have access to the sessionid value and therefore were not passing it along with requests. Kind of ridiculous that HttpOnly would be the default value when so many things use Ajax which would require access restriction.
To fix this I changed a setting (SESSION_COOKIE_HTTPONLY=False) but in other cases it may be a "HttpOnly" flag on the cookie path
answered Oct 12 '13 at 17:16
wiwawiwa
445
answered Oct 12 '13 at 17:16
wiwawiwa
445
answered Oct 12 '13 at 17:16
wiwawiwa
445
answered Oct 12 '13 at 17:16
wiwawiwa
445
445
blog.codinghorror.com/protecting-your-cookies-httponly
– TechSavvySam
Feb 17 '17 at 3:12
1
Do NOT do this. It allows client side script access to the session cookie which is the most common XSS attack vector. owasp.org/index.php/HttpOnly
– Jason Elkin
May 9 '17 at 14:42
add a comment |
blog.codinghorror.com/protecting-your-cookies-httponly
– TechSavvySam
Feb 17 '17 at 3:12
1
Do NOT do this. It allows client side script access to the session cookie which is the most common XSS attack vector. owasp.org/index.php/HttpOnly
– Jason Elkin
May 9 '17 at 14:42
blog.codinghorror.com/protecting-your-cookies-httponly
– TechSavvySam
Feb 17 '17 at 3:12
blog.codinghorror.com/protecting-your-cookies-httponly
– TechSavvySam
Feb 17 '17 at 3:12
1
1
Do NOT do this. It allows client side script access to the session cookie which is the most common XSS attack vector. owasp.org/index.php/HttpOnly
– Jason Elkin
May 9 '17 at 14:42
Do NOT do this. It allows client side script access to the session cookie which is the most common XSS attack vector. owasp.org/index.php/HttpOnly
– Jason Elkin
May 9 '17 at 14:42
add a comment |
If you are developing on localhost or a port on localhost such as localhost:8080, in addition to the steps described in the answers above, you also need to ensure that you are not passing a domain value in the Set-Cookie header.
You cannot set the domain to localhost in the Set-Cookie header - that's incorrect - just omit the domain.
See Cookies on localhost with explicit domain and Why won't asp.net create cookies in localhost?
edited May 23 '17 at 11:55
Community♦
11
answered Jul 11 '15 at 9:17
jitinjitin
619713
Can you show sample code
– Meas
Feb 21 at 5:35
add a comment |
If you are developing on localhost or a port on localhost such as localhost:8080, in addition to the steps described in the answers above, you also need to ensure that you are not passing a domain value in the Set-Cookie header.
You cannot set the domain to localhost in the Set-Cookie header - that's incorrect - just omit the domain.
See Cookies on localhost with explicit domain and Why won't asp.net create cookies in localhost?
edited May 23 '17 at 11:55
Community♦
11
answered Jul 11 '15 at 9:17
jitinjitin
619713
Can you show sample code
– Meas
Feb 21 at 5:35
add a comment |
If you are developing on localhost or a port on localhost such as localhost:8080, in addition to the steps described in the answers above, you also need to ensure that you are not passing a domain value in the Set-Cookie header.
You cannot set the domain to localhost in the Set-Cookie header - that's incorrect - just omit the domain.
See Cookies on localhost with explicit domain and Why won't asp.net create cookies in localhost?
edited May 23 '17 at 11:55
Community♦
11
answered Jul 11 '15 at 9:17
jitinjitin
619713
If you are developing on localhost or a port on localhost such as localhost:8080, in addition to the steps described in the answers above, you also need to ensure that you are not passing a domain value in the Set-Cookie header.
You cannot set the domain to localhost in the Set-Cookie header - that's incorrect - just omit the domain.
See Cookies on localhost with explicit domain and Why won't asp.net create cookies in localhost?
edited May 23 '17 at 11:55
Community♦
11
answered Jul 11 '15 at 9:17
jitinjitin
619713
edited May 23 '17 at 11:55
Community♦
11
edited May 23 '17 at 11:55
Community♦
11
edited May 23 '17 at 11:55
Community♦
11
11
answered Jul 11 '15 at 9:17
jitinjitin
619713
answered Jul 11 '15 at 9:17
jitinjitin
619713
answered Jul 11 '15 at 9:17
jitinjitin
619713
619713
Can you show sample code
– Meas
Feb 21 at 5:35
add a comment |
Can you show sample code
– Meas
Feb 21 at 5:35
Can you show sample code
– Meas
Feb 21 at 5:35
Can you show sample code
– Meas
Feb 21 at 5:35
add a comment |
Just my 2 cents on setting PHPSESSID cookie issue when on localhost and under dev environment. I make the AJAX call to my REST API endpoint on the locahost. Say its address is mysite.localhost/api/member/login/ (virtal host on my dev environment).
When I do this request on Postman, things go fine and PHPSESSID is set with the response.
When I request this endpoint via AJAX from the Browsersync proxied page (e.g. from
122.133.1.110:3000/test/api/login.phpin my browser address line, see the domain is different vsmysite.localhost) PHPSESSID does not appear among cookies.When I make this request directly from the page on the same domain (i.e.
mysite.localhost/test/api/login.php) PHPSESSID is set just fine.
So this is a cross-origin origin request cookies issue as mentioned in @flu answer above
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
add a comment |
Just my 2 cents on setting PHPSESSID cookie issue when on localhost and under dev environment. I make the AJAX call to my REST API endpoint on the locahost. Say its address is mysite.localhost/api/member/login/ (virtal host on my dev environment).
When I do this request on Postman, things go fine and PHPSESSID is set with the response.
When I request this endpoint via AJAX from the Browsersync proxied page (e.g. from
122.133.1.110:3000/test/api/login.phpin my browser address line, see the domain is different vsmysite.localhost) PHPSESSID does not appear among cookies.When I make this request directly from the page on the same domain (i.e.
mysite.localhost/test/api/login.php) PHPSESSID is set just fine.
So this is a cross-origin origin request cookies issue as mentioned in @flu answer above
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
add a comment |
Just my 2 cents on setting PHPSESSID cookie issue when on localhost and under dev environment. I make the AJAX call to my REST API endpoint on the locahost. Say its address is mysite.localhost/api/member/login/ (virtal host on my dev environment).
When I do this request on Postman, things go fine and PHPSESSID is set with the response.
When I request this endpoint via AJAX from the Browsersync proxied page (e.g. from
122.133.1.110:3000/test/api/login.phpin my browser address line, see the domain is different vsmysite.localhost) PHPSESSID does not appear among cookies.When I make this request directly from the page on the same domain (i.e.
mysite.localhost/test/api/login.php) PHPSESSID is set just fine.
So this is a cross-origin origin request cookies issue as mentioned in @flu answer above
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
Just my 2 cents on setting PHPSESSID cookie issue when on localhost and under dev environment. I make the AJAX call to my REST API endpoint on the locahost. Say its address is mysite.localhost/api/member/login/ (virtal host on my dev environment).
When I do this request on Postman, things go fine and PHPSESSID is set with the response.
When I request this endpoint via AJAX from the Browsersync proxied page (e.g. from
122.133.1.110:3000/test/api/login.phpin my browser address line, see the domain is different vsmysite.localhost) PHPSESSID does not appear among cookies.When I make this request directly from the page on the same domain (i.e.
mysite.localhost/test/api/login.php) PHPSESSID is set just fine.
So this is a cross-origin origin request cookies issue as mentioned in @flu answer above
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
answered Nov 15 '18 at 9:32
bob-12345bob-12345
188411
188411
add a comment |
add a comment |
You have to initialize the session before you trying to login.
For php, you have to do
session_start();
on the page from where you start the login ajax call.
So that the SESSIONID will be created and stored the browser cookie. And sent along with request header during the ajax call, if you do the ajax request to the same domain
For the successive ajax calls browser will use the SESSIONID that created and stored initially in browser cookie, unless we clear the browser cookie or do logout (or set another cookie)
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
add a comment |
You have to initialize the session before you trying to login.
For php, you have to do
session_start();
on the page from where you start the login ajax call.
So that the SESSIONID will be created and stored the browser cookie. And sent along with request header during the ajax call, if you do the ajax request to the same domain
For the successive ajax calls browser will use the SESSIONID that created and stored initially in browser cookie, unless we clear the browser cookie or do logout (or set another cookie)
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
add a comment |
You have to initialize the session before you trying to login.
For php, you have to do
session_start();
on the page from where you start the login ajax call.
So that the SESSIONID will be created and stored the browser cookie. And sent along with request header during the ajax call, if you do the ajax request to the same domain
For the successive ajax calls browser will use the SESSIONID that created and stored initially in browser cookie, unless we clear the browser cookie or do logout (or set another cookie)
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
You have to initialize the session before you trying to login.
For php, you have to do
session_start();
on the page from where you start the login ajax call.
So that the SESSIONID will be created and stored the browser cookie. And sent along with request header during the ajax call, if you do the ajax request to the same domain
For the successive ajax calls browser will use the SESSIONID that created and stored initially in browser cookie, unless we clear the browser cookie or do logout (or set another cookie)
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
answered May 27 '17 at 5:58
Mohammed SafeerMohammed Safeer
10.6k55462
10.6k55462
add a comment |
add a comment |
Perhaps not 100% answering the question, but i stumbled onto this thread in the hope of solving a session problem when ajax-posting a fileupload from the assetmanager of the innovastudio editor.
Eventually the solution was simple: they have a flash-uploader. Disabling that (setting
var flashUpload = false;
in asset.php) and the lights started blinking again.
As these problems can be very hard to debug i found that putting something like the following in the upload handler will set you (well, me in this case) on the right track:
$sn=session_name();
error_log("session_name: $sn ");
if(isset($_GET[$sn])) error_log("session as GET param");
if(isset($_POST[$sn])) error_log("session as POST param");
if(isset($_COOKIE[$sn])) error_log("session as Cookie");
if(isset($PHPSESSID)) error_log("session as Global");
A dive into the log and I quickly spotted the missing session, where no cookie was sent.
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
I don't think the example above would work, because when there's no session cookie, what would the value of $sn be? (a random one, or maybe null), alternatively users could set session_name from a GET value for examplesession_name(isset($_GET['sess']) ? $_GET['sess'] : null);session_start();this way, they'd get a working thing
– Steel Brain
Dec 21 '14 at 2:30
That is exactly how i found the problem: no session when posting from this flash uploader thingy. As using a GET variable session identifier is a bad idea, and the cookie was not working, i threw it out. Who cares, flash is a thing of the past anyways.
– Ellert van Koperen
Dec 22 '14 at 12:22
add a comment |
Perhaps not 100% answering the question, but i stumbled onto this thread in the hope of solving a session problem when ajax-posting a fileupload from the assetmanager of the innovastudio editor.
Eventually the solution was simple: they have a flash-uploader. Disabling that (setting
var flashUpload = false;
in asset.php) and the lights started blinking again.
As these problems can be very hard to debug i found that putting something like the following in the upload handler will set you (well, me in this case) on the right track:
$sn=session_name();
error_log("session_name: $sn ");
if(isset($_GET[$sn])) error_log("session as GET param");
if(isset($_POST[$sn])) error_log("session as POST param");
if(isset($_COOKIE[$sn])) error_log("session as Cookie");
if(isset($PHPSESSID)) error_log("session as Global");
A dive into the log and I quickly spotted the missing session, where no cookie was sent.
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
I don't think the example above would work, because when there's no session cookie, what would the value of $sn be? (a random one, or maybe null), alternatively users could set session_name from a GET value for examplesession_name(isset($_GET['sess']) ? $_GET['sess'] : null);session_start();this way, they'd get a working thing
– Steel Brain
Dec 21 '14 at 2:30
That is exactly how i found the problem: no session when posting from this flash uploader thingy. As using a GET variable session identifier is a bad idea, and the cookie was not working, i threw it out. Who cares, flash is a thing of the past anyways.
– Ellert van Koperen
Dec 22 '14 at 12:22
add a comment |
Perhaps not 100% answering the question, but i stumbled onto this thread in the hope of solving a session problem when ajax-posting a fileupload from the assetmanager of the innovastudio editor.
Eventually the solution was simple: they have a flash-uploader. Disabling that (setting
var flashUpload = false;
in asset.php) and the lights started blinking again.
As these problems can be very hard to debug i found that putting something like the following in the upload handler will set you (well, me in this case) on the right track:
$sn=session_name();
error_log("session_name: $sn ");
if(isset($_GET[$sn])) error_log("session as GET param");
if(isset($_POST[$sn])) error_log("session as POST param");
if(isset($_COOKIE[$sn])) error_log("session as Cookie");
if(isset($PHPSESSID)) error_log("session as Global");
A dive into the log and I quickly spotted the missing session, where no cookie was sent.
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
Perhaps not 100% answering the question, but i stumbled onto this thread in the hope of solving a session problem when ajax-posting a fileupload from the assetmanager of the innovastudio editor.
Eventually the solution was simple: they have a flash-uploader. Disabling that (setting
var flashUpload = false;
in asset.php) and the lights started blinking again.
As these problems can be very hard to debug i found that putting something like the following in the upload handler will set you (well, me in this case) on the right track:
$sn=session_name();
error_log("session_name: $sn ");
if(isset($_GET[$sn])) error_log("session as GET param");
if(isset($_POST[$sn])) error_log("session as POST param");
if(isset($_COOKIE[$sn])) error_log("session as Cookie");
if(isset($PHPSESSID)) error_log("session as Global");
A dive into the log and I quickly spotted the missing session, where no cookie was sent.
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
answered Aug 4 '14 at 22:05
Ellert van KoperenEllert van Koperen
400314
400314
I don't think the example above would work, because when there's no session cookie, what would the value of $sn be? (a random one, or maybe null), alternatively users could set session_name from a GET value for examplesession_name(isset($_GET['sess']) ? $_GET['sess'] : null);session_start();this way, they'd get a working thing
– Steel Brain
Dec 21 '14 at 2:30
That is exactly how i found the problem: no session when posting from this flash uploader thingy. As using a GET variable session identifier is a bad idea, and the cookie was not working, i threw it out. Who cares, flash is a thing of the past anyways.
– Ellert van Koperen
Dec 22 '14 at 12:22
add a comment |
I don't think the example above would work, because when there's no session cookie, what would the value of $sn be? (a random one, or maybe null), alternatively users could set session_name from a GET value for examplesession_name(isset($_GET['sess']) ? $_GET['sess'] : null);session_start();this way, they'd get a working thing
– Steel Brain
Dec 21 '14 at 2:30
That is exactly how i found the problem: no session when posting from this flash uploader thingy. As using a GET variable session identifier is a bad idea, and the cookie was not working, i threw it out. Who cares, flash is a thing of the past anyways.
– Ellert van Koperen
Dec 22 '14 at 12:22
I don't think the example above would work, because when there's no session cookie, what would the value of $sn be? (a random one, or maybe null), alternatively users could set session_name from a GET value for example
session_name(isset($_GET['sess']) ? $_GET['sess'] : null);session_start(); this way, they'd get a working thing– Steel Brain
Dec 21 '14 at 2:30
I don't think the example above would work, because when there's no session cookie, what would the value of $sn be? (a random one, or maybe null), alternatively users could set session_name from a GET value for example
session_name(isset($_GET['sess']) ? $_GET['sess'] : null);session_start(); this way, they'd get a working thing– Steel Brain
Dec 21 '14 at 2:30
That is exactly how i found the problem: no session when posting from this flash uploader thingy. As using a GET variable session identifier is a bad idea, and the cookie was not working, i threw it out. Who cares, flash is a thing of the past anyways.
– Ellert van Koperen
Dec 22 '14 at 12:22
That is exactly how i found the problem: no session when posting from this flash uploader thingy. As using a GET variable session identifier is a bad idea, and the cookie was not working, i threw it out. Who cares, flash is a thing of the past anyways.
– Ellert van Koperen
Dec 22 '14 at 12:22
add a comment |
protected by Community♦ Sep 25 '15 at 18:16
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
2
Cookie of ajax might come after the web cookie and FireBug might catch the first page cookie.
– Chris
May 20 '10 at 0:48
1
I did not get what u mean but I can say if I paste the request url in browser address bar and check Firebug again, I can see the cookie in headres sent to the server. Any solutions?
– user345625
May 20 '10 at 1:04
So, I think ajax will also handle same way browser does
– user345625
May 20 '10 at 1:05
What is the code you're using?
– Dean Harding
May 20 '10 at 1:06
the browser will still create cookies set by the server during a ajax request, jquery or otherwise. Did you check the response to the ajax request and ensure cookies came back from the server to be set? There could be a problem with the server code such that it is not even setting the cookie, etc.
– David
May 20 '10 at 1:27