which cookies/headers should I set?

Question

I should get a protected page from external site, if I call it directly, I get an error:

Bad Request

Postman:

But if I call a login page with valid credentials via Postman:

and then recall THE SAME resource page from the same Postman I got the protected page!:

I have to get the same page on website. I try to implement it by the following way:

            var loginXml = "<Request><MsgType>Authenticate</MsgType><SubMsgType>Login</SubMsgType><UserID>my_login</UserID><passwordNotEncrypted>my_password</passwordNotEncrypted></Request>";
            $.ajax(
                {
                    url: 'https://address/browserservices.aspx/login',
                    type: 'POST',
                    contentType: 'text/xml',
                    datatype: 'text',
                    //xhrFields: {
                    //    withCredentials: true
                    //},
                    //crossDomain: true,
                    data: loginXml,
                    success: function (output, status, xhr) {
                        alert(xhr.getResponseHeader("Set-Cookie"));
                        $.ajax({
                            url: "https://address/RemoteSupport.aspx?id=GUID&pltFrmType=Android&agentversion=13.46",
                            type: 'GET',
                            xhrFields: { withCredentials: true },
                            //crossDomain: true,
                            success: function (x) { },
                            error: function (xhr, textStatus) { alert(xhr.status); }
                        });
                    },
                })

but I get Bad Request again. Which headers/cookies should I pass to page to open protected page, like it's in Postman?

ADDED 28/01/19 Postman "Cookie" tab after success login request (fail login request has the same):

and "Headers" tab:

as I see, all access-control-allow header are available. What should I pass via ajax?

Answer 1

Based on the information that you have supplied there are two likely scenarios.

Firstly, the cookie that is set by the external site is HttpOnly. This is easy enough to check in Postman, by clicking on the the Cookies tab.

The second option is a little more complex, but the external server has to set the Access Control headers correctly. Again there is a Headers tab to view these. More info on cross domain ajax and headers in this question: Why is jquery's .ajax() method not sending my session cookie?

Finally worth noting, your browser will automatically add a header to indicate that it is an ajax request. You could try adding the X-Requested-With: XMLHttpRequest header in Postman and seeing how it differs from your examples. The external server may well be configured to respond differently to ajax requests than to browser or server-server api requests.

Update Your Postman update shows that both of those scenarios are true. Unfortunately this means that you cannot achieve your desired result with JavaScript. HttpOnly = true means that the browser will never allow the script on your page to access the cookie.

At this point your best bet is probably to write a little proxy method on your own site that makes the request server to server and then returns the result to your JavaScript code. This should bypass all the above issues albeit you need to make 2 requests instead of 1 for the data.

Take a look at this answer for some code

Struggling trying to get cookie out of response with HttpClient in .net 4.5