6

I need an HttpOnly authentication cookie to work on:

mydomain.com
www.mydomain.com
abc.mydomain.com

so that I can be logged into all three places via a single login.

This is working fine, by setting my cookie domain to: 

.mydomain.com

here is the response header that sets the cookie:

MYAUTHCOOKIE=FOO; domain=.mydomain.com; path=/; HttpOnly

This all works fine for normal browser requests.

However, I need to make an AJAX request from mydomain.com and www.mydomain.com to abc.mydomain.com.

When I make the request, it isn't passing the authentication cookie. Why is this, and what can i do about it?

If i make a request to the same host as the page the JS resides on, it does send the cookie :s

Here's my request code:

$.ajax({
    type: "POST"
    , data: { data: { foo: bar} }
    , dataType: "json"
    , url: "http://abc.mydomain.com/foo"
    , timeout: 5000
    , success: function (data, textStatus) {
        alert('woo!');
    }
    , error: function (xhr, textStatus, error) {
        alert('meh');
    }
});

Is this some cross domain policy? Why doesnt the cookie domain make this work?

Thanks

Andrew Bullock
  • 34,331
  • 32
  • 145
  • 217

1 Answers1

1

According to the same origin policy, subdomains are indeed "hostile" to your top domain, but it can be fixed by setting document.domain (same article).

Dmitry Shevchenko
  • 28,728
  • 10
  • 52
  • 62
  • If you set document.domain to 'foo.com' on URL http://one.foo.com/, how does the server know the document.domain setting on http://two.foo.com/ before it makes the request to 'two'? –  Mar 28 '12 at 18:29
  • How would making CORS requests with access-control headers affect this situation? – Mnebuerquo Aug 31 '14 at 20:26