Set cookies for cross origin requests

by

Cross site approach

To allow receiving & sending cookies by a CORS request successfully, do the following.

Back-end (server):
Set the HTTP header Access-Control-Allow-Credentials value to true.
Also, make sure the HTTP headers Access-Control-Allow-Origin and Access-Control-Allow-Headers are set and not with a wildcard *.

For more info on setting CORS in express js read the docs here.

Cookie settings:
Cookie settings per Chrome and Firefox update in 2021: SameSite=None and Secure. When doing SameSite=None, setting Secure is a requirement. See docs on SameSite and on requirement of Secure. Also note that Chrome devtools now have improved filtering and highlighting of problems with cookies in the Network tab and Application tab.

Front-end (client): Set the XMLHttpRequest.withCredentials flag to true, this can be achieved in different ways depending on the request-response library used:

Proxy approach

Avoid having to do cross site (CORS) stuff altogether. You can achieve this with a proxy. Simply send all traffic to the same top level domain name and route using DNS (subdomain) and/or load balancing. With Nginx this is relatively little effort.

This approach is a perfect marriage with JAMStack. JAMStack dictates API and Webapp code to be completely decoupled by design. More and more users block 3rd party cookies. If API and Webapp can easily be served on the same host, the 3rd party problem (cross site / CORS) dissolves. Read about JAMStack here or here.

Sidenote

It turned out that Chrome won’t set the cookie if the domain contains a port. Setting it for localhost (without port) is not a problem. Many thanks to Erwin for this tip!

More Related Contents:

  1. Token Authentication vs. Cookies
  2. How does cookie based authentication work?
  3. Why are cookies unrecognized when a link is clicked from an external source (i.e. Excel, Word, etc…)
  4. OWIN – Authentication.SignOut() doesn’t seem to remove the cookie
  5. Sending cookie session id with Swagger 3.0
  6. Origin null is not allowed by Access-Control-Allow-Origin
  7. Authentication filter and servlet for login
  8. Cross domain cookies
  9. How to secure MongoDB with username and password
  10. Error when connect to impala with JDBC under kerberos authrication
  11. What exactly does the Access-Control-Allow-Credentials header do?
  12. Handling Browser Authentication using Selenium
  13. user authentication libraries for node.js?
  14. Authentication with 2 different tables
  15. LDAP: error code 49 – 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
  16. Set-Cookie on Browser with Ajax Request via CORS
  17. CORS cookie credentials from mobile WebView loaded locally with file://
  18. Is Facebook an OpenID provider?
  19. Setting HTTP headers
  20. asp.net cookies, authentication and session timeouts
  21. Cannot load Deezer API resources from localhost with the Fetch API
  22. REST API Token-based Authentication
  23. Spring security: adding “On successful login event listener”
  24. No route matches [GET] “/users/sign_out”
  25. Where can I find a list of OpenID Provider URLs? [closed]
  26. ASP.NET MVC 3 using Authentication
  27. Customize Authentication – Login Symfony2 Messages
  28. How to use Client Certificate Authentication in iOS App
  29. Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app
  30. Web API 2, OWIN Authentication, SignOut doesn’t logout

Leave a Comment