0

I'm running an angular 4 client on localhost:3000, which is communicating with a WEB API localhost:5000. My problem is, that I can't figure out why the browser refuses to store a cookie, when the server instructs it to do so.

Client Request Headers

Request URL:https://local.dev:5000/user/list?page=1&column=Email&listOrder=2 Request Method:POST Status Code:200 OK Remote Address:127.0.0.1:5000 Referrer Policy:no-referrer-when-downgrade Accept:application/json Accept-Encoding:gzip, deflate, br Accept-Language:en-NZ,en-GB;q=0.8,en-US;q=0.6,en;q=0.4 Cache-Control:no-cache Connection:keep-alive Content-Length:0 Content-Type:application/json DNT:1 Host:local.dev:5000 Origin:https://localhost:3000 Pragma:no-cache Referer:https://localhost:3000/user

Server Response Headers:

Access-Control-Allow-Credentials:true Access-Control-Allow-Origin:https://localhost:3000 Cache-Control:no-cache Content-Type:application/json; charset=utf-8 credentials:include Date:Tue, 09 May 2017 08:22:25 GMT Expires:-1 Pragma:no-cache Server:Kestrel Set-Cookie: <cookiename>=<somedata>; expires=Tue, 09 May 2017 09:22:23 GMT; domain=local.dev; path=/; secure; httponly Transfer-Encoding:chunked Vary:Origin withCredentials:true

As you can see CORS is also enabled. HTTPS is used for transmission. Also tried without setting an expiration date. The cookie's domain is set to local.dev. I also tried with / and localhost.

Afterwards Chrome's debug view does not display the cookie. Just some default angular cookie. Therefore I assume the set-cookie header is ignored for some reason.

chrome debug view. cookie not stored

HELP!

Improve this question
9
  • Did you specify that cookies should be accepted for cross-domain requests in your API call? Commented May 9, 2017 at 8:51
  • I'm not sure. How do I achieve that? Commented May 9, 2017 at 8:52
  • That’s what the withCredentials flag of XMLHttpRequest is for. (How that translates into angular, please research yourself.) Commented May 9, 2017 at 8:53
  • @CBroe Access-Control-Allow-Credentials is true on the server's repsonse if that's what you mean. Commented May 9, 2017 at 9:33
  • No, it is not what I mean. What I wrote is what I mean. Commented May 9, 2017 at 9:34

1 Answer 1

Reset to default
4

For cross-domain AJAX requests, you need to explicitly specify that cookies should be send with the request, and accepted in the response.

This is done using the withCredentials flag of the XMLHttpRequest object.

In Angular, you can set it as an option of the $http service, see also AngularJS withCredentials

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I don't see any difference in neither request and response headers, do you know why it is important to explicitly set that option? I thought the browser is repsonsible to store the cookie and not the application itself.
You should see a difference in request headers, if you are sending cookies, or additional credentials such as for HTTP Auth. In the response you don’t see a difference, because the server tries to set the cookie anyway. The withCredentials flag determines whether the browser accepts that cookie from the response header for cross-domain requests.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.