2

I have a js client applcation that uses an http-only cookie to store the currently authenticated user's credentials. The application uses the data in the cookie to perform the per-request authentication.

However, the application does make ajax requests that unfortunately do not include the cookie. When the server comes to process these requests, it believes it has no cookie, therefore there is no authenticated user and performs redirect to the login page. Still, the cookie is there and all standard http requests work as expected.

Is there any easy workaround for this issue? What is the recommended practice in such scenarios?

Ivaylo Slavov
  • 8,839
  • 12
  • 65
  • 108
  • Have you tried using fiddler to check if the cookie is sent back and forth? Also "http-only" flag on cookies is not respected by all browsers. Try posting some sample code. – Nir Levy Jan 07 '13 at 14:21
  • Even if the cookie is HttpOnly, it will still be passed for AJAX requests (even if the JS itself cannot read it). – SilverlightFox Jan 08 '13 at 08:40
  • The issue was caused by zepto js library. In general, the described scenario should work and when switched to jQuery, the problem is no more. – Ivaylo Slavov Jan 09 '13 at 09:47

1 Answers1

0

The issue was caused because of zepto library being used, which had the particular problem of not passing the cookie (some known issue of the library). When jQuery was used instead, all worked as expected.

Ivaylo Slavov
  • 8,839
  • 12
  • 65
  • 108
  • Could you post the link to the issue opened in Zepto project? – PaquitoSoft Dec 19 '13 at 16:48
  • @PaquitoSoft, I'll try to find relevant info and update the answer, but it was a colleague of mine that diagnosed the case. What was important for us was that it was OK with jQuery, so we dropped zepto. – Ivaylo Slavov Dec 20 '13 at 08:33
  • 1
    In my case, the problem was solved using the 'withCredentials' attribute in the xhr object. You can check this link out to find out more info: https://github.com/madrobby/zepto/issues/274 – PaquitoSoft Dec 20 '13 at 18:35
  • @PaquitoSoft, thanks for the information, I'll update the answer with the link, if relevant. – Ivaylo Slavov Dec 23 '13 at 18:06