47

I know this has been asked before in various forms, but I can't seem to get around the problem. I have tried using both jQuery and the native JS API to make the Ajax requests.

My situation is the following (see attached diagram):

  1. Browser makes HTTP request
  2. Server responds and sets persistent Cookie
  3. Browser makes HTTP Ajax request, Cookie is there alright
  4. Server responds as expected, updates Cookie
  5. Browser makes HTTPS Ajax request, Cookie is not there anymore (?!)
  6. Server gives "default" response, since there is no Cookie (unintended behaviour)

Before anybody starts a lecture on cross-domain requests let me state a couple of things:

  • I know that this is a cross-domain request (different protocol), and that's why the Server sets the Access-Control-Allow-Origin header in the response (and I am using Chrome and Firefox, both of which support CORS)
  • What I also know, though, is that the HTTP cookie ought to be manageable over HTTPS (see here) since the host is the same
  • (EDIT) The cookie is properly set for the general domain (e.g. .domain.ext) and neither the HttpOnly nor the Secure flags are set

So, why, why, why doesn't the browser pass on the cookie when making the HTTPS Ajax call? Any ideas? I am about to lose my mind...

 +-----------+ HTTP Request +-----------+ |Browser |+---------------->|Server | +-----------+ +-----------+ HTTP Response <----------------+ Set-cookie Ajax HTTP Req. +----------------> Cookie (OK) HTTP Response <----------------+ Set-cookie (OK) Ajax HTTPS Req. +----------------> No Cookie (!!!)
Improve this question
3
  • Capture the HTTP request dump and check if any of the secure and http-only flags are set in the Set-Cookie statement. That would at least be a good place to start from. Commented Apr 19, 2012 at 15:19
  • stackoverflow.com/questions/5441836/… looks like this is a deliberate limitation. Commented Apr 20, 2012 at 9:49
  • Thanks, I had already read it, but it does not help at all. First, it says that an https cookie is encrypted, which is only true when in transit (otherwise the browser would not be able to access its data). The explanation given is also against the cookie specification, AFAIK. Commented Apr 20, 2012 at 11:00

2 Answers 2

Reset to default
80

Ok, found the solution to the cookie problem.

See XHR specs, jQuery docs and StackOverflow.

The solution to have the cookies sent when switching protocol and/or subdomain is to set the withCredentials property to true.

E.g. (using jQuery)

 $.ajax( { /* Setup the call */ xhrFields: { withCredentials: true } });
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Awesome. You found the answer yourself. Thanks for sharing. So many posts when people find the answer and don't share. Kudos NeXuS.
Unfortunately I wasn't able to make it work nonetheless... :D
thanks, this worked for me after 2 days of trying to figure out why
0

Document.cookie and Ajax Request does not share the cookie. Otherwise, ajax can't access the cookies from document.cookie or the response headers. They can only be controlled by the remote domain.

If you first get response including cookie from server by ajax, Since that you can request ajax communication with cookie to server.

For this case, you write such as below code (jQuery)

 $.ajax({ xhrFields : { withCredentials : true } });

See this article and demo

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.