0

I working with sessions in PHP and I wanted to know if you can pass sessions from one domain to another while using Ajax?

This is the index.html in domain.com

domain.com 
index.html -> jQuery
$.post($url,$form.serialize(),function(e){console.log(e)});

This is the index.php in sub.domain.com

sub.domain.com
json_encode<-index.php
==================== vvv INDEX.PHP PAGE vvv ======================
$session_options = array(
    'httponly' => true,
    'secure' => true,
    'domain' => 'domain.com'
);
session_set_cookie_params($session_options);
session_name( md5(sha1(md5($data))));
session_start();

switch ($_SERVER['HTTP_ORIGIN']){
    case 'www.domain.com':
            header('Access-Control-Allow-Origin: www.domain.com');
        break;
    case 'domain.com':
            header('Access-Control-Allow-Origin: domain.com');
        break;
}

header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header('Content-Type: application/json');

I am able to create a session in sub.domain.com if I visit it and if I go back to domain.com it crosses. However, when I call the sub.domain.com from domain.com it does not create the session and pass it to the domain.com. Or, should I do something like a JWT or Bearer Token?

Now, the reason why I am doing this is authentication, then after the authentication, the user can make other calls to other app functions.

So, trying my darndest, I have moved the ajax (sub.domain.com) to the same domain for debugging/testing. When I make the call using Ajax from the same domain (domain.com) it works and sets the PHP session cookie in the browser without navigating to the ajax folder (like physically opening the page). It will even go cross-domain to the sub-domains with no problems. But if I put the ajax back to the sub-domain, without physically opening the page, it will not set on an Ajax call.

  • Possible duplicate: https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain – Twisty Aug 12 '20 at 19:12
  • @Twisty - thank you for the post. I have an understanding of the cookies and cross-domain. However, that is not my question. My question is in regards to the cookie not setting when it's being called via Ajax from the main domain. I am able to get the cookie across domains if I physically go to the page sub.domain.com and then/or at the same time visit domain.com. The cookie will show up on domain.com. However, the cookie will not appear when I call the post via Ajax. However, again, thank you for the useful post –  Aug 12 '20 at 20:18
  • I wonder if it's client related. When you review the payload in Network tab, do you see a Cookie in the Response? You could also dynamically create an iFrame with the source, as a Touch method to establish the cookie and then POST. – Twisty Aug 12 '20 at 21:32
  • @Twisty, yes I do see the cookie in the network trace and I see it in the browsers network. –  Aug 12 '20 at 21:42
  • @Twisty - I can see the cookie in the XHR but when I call the xhr via javascript I am not seeing anything. I am using the following: xhr.getResponseHeader('Set-Cookie') –  Aug 12 '20 at 22:08
  • Does this answer your question? [Share cookie between subdomain and domain](https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain) – cosmoonot Aug 12 '20 at 23:53
  • @cosmoonot, no the cookie is shared just fine. it's the Ajax POST method that I have trouble getting the cookie request. I can get the cookie response, just not the request. If I do a get, I get the cookie request. –  Aug 12 '20 at 23:57

1 Answers1

0

After hours of research and then reverse engineering Google.com I found that google uses a datatype of Jsonp. After changing the dataType for my ajax request I get it to work cross-domain.

$.ajax({
    type: "GET",
    url: 'URL_GOES_HERE',
    data: form.serialize(),
    success: function(data, status, xhr){
        console.log(data);
        console.log(status);
        console.log(xhr.getAllResponseHeaders());
    },
    dataType: 'jsonp'
});

Now, the drawback to this is kind of heavy. jsonp can only work in a GET