5

In AngularJS, I have my Restful API in a subdomain but I am having the problem where the cookie/session is not being shared across domains. For Angular I am doing this:

app.config(['$httpProvider',
function($httpProvider) {
    $httpProvider.defaults.useXDomain = true;
    $httpProvider.defaults.withCredentials = true;
    delete $httpProvider.defaults.headers.common['X-Requested-With'];
}]);

Also when I am making a request with $http I am doing

var object = {};

object.url = '/example'
object.withCredentials = true;

$http(object).success(object.success).error(object.error);

And On my server side I have:

if($_SERVER['REQUEST_METHOD']=='OPTIONS') {
    if(isset($_SERVER['HTTP_X_FOWARDED_HOST']) && !empty($_SERVER['HTTP_X_FOWARDED_HOST'])) {
        $origin=$_SERVER['HTTP_X_FOWARDED_HOST'];
    } else {
        $origin=$_SERVER['HTTP_ORIGIN'];
    }
    if(isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && ($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='POST' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='DELETE' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='PUT')) {
        header('Access-Control-Allow-Origin: '.$origin);
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Allow-Headers:  *,X-Requested-With,Content-Type');
        //header('Access-Control-Allow-Headers: Content-Type');
        header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT');
        // http://stackoverflow.com/a/7605119/578667
        header('Access-Control-Max-Age: 86400');
    }

}

Now I see that the server is saying that it will allow credentials but its not being sent in the options request. Screenshot below.

enter image description here What am I doing wrong?

Devin Dixon
  • 9,088
  • 20
  • 70
  • 136

1 Answers1

11

By default credentials are NOT sent in a CORS pre-flight OPTIONS request. See here. See also this answer. The credentials will be sent on your actual request.

Also, useXDomain and X-Request-With headers are not actually used in current versions of angular, so those lines are doing nothing in your $httpProvider config. All CORS interaction is handled by the browser itself and your server.

In general to properly implement CORS your server should not require credentials on the preflight request. (Please note that some browsers send them anyway, but shouldn't.) This is because an OPTIONS request is considered "safe" and should never contain any confidential information.

It may be your problem is in the cookies you're trying to share across domains. What cookies are you trying to send where?

Community
  • 1
  • 1
Geoff Genz
  • 1,666
  • 15
  • 17
  • I have an SSO cookie assignment set up. So I solved it by having the CORS Option check before the session id check. If it is options, then it doesn't run the session id check for SSO. Else, use the cookie sent. – Devin Dixon Feb 28 '14 at 16:44