3

My CORS / XHR requests lacking the remember_xyz cookie in the request headers when i don't use the --disable-web-security option in chrome. If i enable that option the remember_xyz cookie will be included in the request headers and everything is working fine.

As workaround i'm currently sending the auth credentials via basic auth header. But i think that's not the intended or right way.

How can i get that remember cookie included in the request headers?


Edit:
In chrome's network console i can see the following:

(without --disable-web-security option in chrome)

The remember cookie is sent by laravel in the first response headers. But is not included in the next request's headers by angular. Why?

Every request has that OPTIONS preflight request before the actual request fires. Is it possible that the preflight request removes/breaks the cookie somehow?

(with --disable-web-security option in chrome)

The remember cookie is sent by laravel in the first response headers and will be sent in the next request's headers by angular. Everything is fine.


Edit 2:
Is it up to me to include the said cookie out of the response headers into the request headers? When yes, why i don't have to do this with "--disable-web-security" option enabled in chrome?


What i'm doing wrong?

Thank you!

tagomago
  • 91
  • 2
  • 7

1 Answers1

2

Not sure I'm answering your question directly, but I'll take a stab. You DO need to set certain headers on the client side AND server for CORS.

The client needs to know to send the Cookie headers, or it will strip them out. For jQuery, this means setting the withCredentials parameter in your ajax call. See more info here. This sounds like the issue you are grappling with.

On the server side, you may need to ensure pre-flight requests are setup.

For instance, when I used CORS in Laravel 4, I had a filter to add some headers to each response:

App::after(function($request, $response)
{
    // Note that you cannot use wildcard domains when doing CORS with Authorization!
    $response->headers->set('Access-Control-Allow-Origin', 'http://dev.domain.local');
    $response->headers->set('Access-Control-Allow-Credentials', 'true');
    $response->headers->set('Access-Control-Allow-Headers', 'Authorization, X-Requested-With');
});

Within a controller, I also had an OPTIONS request respond for pre-flight requests. An example of that is:

public function optionsComplex()
{
    $response = Response::make(null, 200);
    $response->headers->set('Allow', 'GET, PUT, DELETE');
    $response->headers->set('Access-Control-Allow-Methods', 'GET, PUT, DELETE');
    return $response;
}

Hope that helps.

Community
  • 1
  • 1
fideloper
  • 11,935
  • 1
  • 38
  • 35
  • Thanks! After all i did that way. Recently i discovered barryvdh/laravel-cors, which seems to work great. – tagomago Jan 30 '14 at 20:59