1

I want to use a secure cookie which is stored by the browser when accessing the endpoint /access on my website. The cookie is saved during the login process and I made sure that my website runs on a subdomain of my backend (which creates the cookies for the clients).

My backend is running on www.welovecoding.com and my web application is hosted on webapp.welovecoding.com.

The cookie which I receive from my backend looks like this:

Set-Cookie:user_id=RLXXWNCGAyVBmnogfiE1ngFCpBRKA48YaFOGyrPypwvU3eZCA==; Path=/access; Expires=Tue, 29-Sep-2015 17:37:11 GMT; Domain=.welovecoding.com; HttpOnly; Secure

What I want to do now is a POST request on www.welovecoding.com/access with my cookie as authentication credentials. I am sending withCredentials when executing my AJAX request with jQuery:

$.ajax({
  crossDomain: true,
  type: 'POST',
  url: "http://www.welovecoding.com/access",
  xhrFields: {
    withCredentials: true
  }
}).done(function (data, textStatus, jqXHR) {
  console.log("Response", data);
});

But I still do get a HTTP error 403 which says that the cookie is missing. Does anyone know why? Maybe because the cookie has HttpOnly and Secure set?

Benny Neugebauer
  • 40,817
  • 21
  • 196
  • 177
  • Are you sure your cookie is not rejected? According to this [post](http://stackoverflow.com/questions/5258126/domain-set-cookie-for-subdomain) it should be rejected. – Dmitry Sep 29 '14 at 12:10

1 Answers1

4

Yes, it's because the cookie has Secure set - and you are posting to http

;secure (cookie to only be transmitted over secure protocol as https)

https://developer.mozilla.org/en-US/docs/Web/API/document.cookie

wirey00
  • 32,479
  • 7
  • 49
  • 64
  • You're right! I forgot to mention that I also tested from HTTPS to HTTPS. But it did not work. Do I miss anything else? – Benny Neugebauer Sep 29 '14 at 12:25
  • Try removing the `xhrFields:{withCredentials:true}` as it's used for cross-domain requests – wirey00 Sep 29 '14 at 12:40
  • 1
    also if you "are" doing cross domain - you need to set the appropriate preflight cors headers http://www.staticapps.org/articles/cross-domain-requests-with-cors – wirey00 Sep 29 '14 at 13:05
  • Ok, I accepted your answer as my description was pointing to the fact that HTTPS is missing. By the way, do I have to store the cookie with JavaScript or will it be saved automatically by the browser when receiving it as "Set-Cookie" parameter? – Benny Neugebauer Sep 29 '14 at 16:10
  • it will automatically create the cookie for you - And since HttpOnly is also passed - `If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag).` https://www.owasp.org/index.php/HttpOnly – wirey00 Sep 29 '14 at 16:16
  • So was the main issue setting the cors headers? – wirey00 Sep 29 '14 at 16:20
  • Thanks for your support. With your help I solved the problem. I had to run on HTTPS because of the "secure" property in the cookie (as you mentioned). But I also needed to send "Access-Control-Allow-Credentials: true" with the cookie from the backend. And what was very surprising... I had to use the "xhrFields" in my request for the login (which gives me the cookie) and the actual request where I want to send that cookie back. So it works now! Thank you very much. :) – Benny Neugebauer Sep 30 '14 at 09:01