Cross Origin Resource Sharing with Credentials

by

Two thoughts:

1) are you also including the “Access-Control-Allow-Credentials: true” header? This is needed for passing cookie credentials (and the corresponding XHR client must set .withCredentials = true)

2) Have you tried the suggestion from your link and only include the origin for the current request. For example, if a request comes in with the header “Origin: http://blog.example.com“, you would respond with “Access-Control-Allow-Origin: http://blog.example.com“, and not a list of origins. This requires a little more work on your server side implementation.

3) One other thought, you mention that you have a single login form that must be shared by various domains. Well, if it is a standard HTML form, you can do a regular form-post across domains. You don’t need to use CORS. Just set the “action” property of the form to the url you wish to post to. For example:

<form name="login" action="http://login.example.com/doLogin">

More Related Contents:

  1. Why is an OPTIONS request sent and can I disable it?
  2. CORS with POSTMAN
  3. When do browsers send the Origin header? When do browsers set the origin to null?
  4. CORS Access-Control-Allow-Headers wildcard being ignored?
  5. CORS request with Preflight and redirect: disallowed. Workarounds?
  6. What are proper status codes for CORS preflight requests?
  7. Setting HTTP headers
  8. Angular2 OPTIONS method sent when asking for http.GET [duplicate]
  9. How to make XMLHttpRequest cross-domain withCredentials, HTTP Authorization (CORS)?
  10. What is the maximum length of a URL in different browsers?
  11. Access-Control-Allow-Origin Multiple Origin Domains?
  12. What requests do browsers’ “F5” and “Ctrl + F5” refreshes generate?
  13. Is a 302 redirect to relative URL valid, or invalid?
  14. ETag vs Header Expires
  15. What is the limit on QueryString / GET / URL parameters
  16. What is the difference between URI, URL and URN? [duplicate]
  17. Comparing HTTP and FTP for transferring files
  18. How big can a user agent string get?
  19. What rules apply to MIME boundary?
  20. How can I find out whether a server supports the Range header?
  21. REST, HTTP DELETE and parameters
  22. fetch() does not send headers?
  23. Official references for default values of concurrent HTTP/1.1 connections per server? [closed]
  24. What is the http-header “X-XSS-Protection”?
  25. What is correct HTTP status code when redirecting to a login page?
  26. How to cancel a HTTPRequest in Angular 2?
  27. Sending browser cookies during a 302 redirect
  28. Correctly switching between HTTP and HTTPS using .htaccess
  29. What is the difference between server side cookie and client side cookie?
  30. What is a connection timeout during a http request

Leave a Comment