'Credentials: 'include' not including Cookie header
I'm using credentials: 'include' and mode: 'cors' on the client. On the server I see access-control-allow-credentials: true and access-control-allow-origin: https://dev.com:9443 headers. I don't see my cookie header though and I can't seem to find why it isn't sending. Let me know if I can provide any further details.
Fetch request
fetch(url, {
method: 'get',
credentials: 'include',
mode: 'cors',
headers: {
'Content-Type': 'application/json'
}
});
Options Request Headers
:authority: prod.fakedomain.com
:method: OPTIONS
:path: /Search
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fr;q=0.8,la;q=0.7
access-control-request-headers: content-type
access-control-request-method: GET
cache-control: no-cache
dnt: 1
origin: https://dev.com:9443
pragma: no-cache
referer: https://dev.com:9443/
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Options Response Headers
access-control-allow-credentials: true
access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,POST
access-control-allow-origin: https://dev.com:9443
access-control-max-age: 1800
allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
content-length: 0
date: Mon, 04 Feb 2019 03:45:06 GMT
status: 200
vary: Origin
x-application-context: application:8080
Get Request Headers
:authority: prod.fakedomain.com
:method: GET
:path: /Search
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fr;q=0.8,la;q=0.7
cache-control: no-cache
content-type: application/json
dnt: 1
origin: https://dev.com:9443
pragma: no-cache
referer: https://dev.com:9443/
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Get Response Headers
access-control-allow-credentials: true
access-control-allow-origin: https://dev.com:9443
content-encoding: gzip
content-type: application/json;charset=UTF-8
date: Mon, 04 Feb 2019 03:45:07 GMT
status: 200
vary: Origin,Accept-Encoding
x-application-context: application:8080
Solution 1:[1]
As sideshowbarker mention in his comment, the browser don't set te cookie for domain prod.fakedomain.com and its look like that server don't set cookie too. So if you set cookies for dev.com and they are not httpOnly then you can try to copy them to prod.fakedomain.com (by read and write it by JS).
If you want to store sensitive data in the cookies (e.g. JWT token), read about XSS/XST attacks and consider the possibility of using the HttpOnly flag.
Solution 2:[2]
I finally find out that problem just browser not allow two not same domain share any cookie(except for the same second level domain), it's beyond credentials: include can do, after 2 hours trying... I find out credentials: include just meaning u can send cookie but it doesn't meaning you can send cookie with two different domain..
Whatever you do, change browser setting?set cookie's SameSite any way, just can't do that...
So that is my conclusion?hope u get it...
Solution 3:[3]
I was able to resolve this issue by going into my Safari privacy settings and unchecking Prevent cross-site tracking
Solution 4:[4]
I've tried for days then come into conclusion:
cedentials: 'include'
and
xhrFields: { withCredentials: true}
Only works on same domain with different port, if we want to make request to another domain we have to manually add credentials (token etc..) to the request header
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | BertieHuang |
| Solution 3 | Sergio Mendoza |
| Solution 4 | Agus Prawoto Hadi |