17

I have a web application that uses jQuery.ajax to perform a request to another host (right now actually the same because I'm using different ports of "localhost"). The server then returns a cookie.

The cookie value in the HTTP response as shown in Chrome's Dev Tools is

Set-Cookie: MyUserSession=JxQoyzYm1VfESmuh-v22wyiyLREyOkuQWauziTrimjKo=;expires=Sun, 10 Feb 2013 22:08:47 GMT;path=/api/rest/

and so has an expiry of 4 hours in the future.

However, the cookie does not get stored and sent with subsequent requests (tested in both Chrome and Firefox). I first thought it must be "10-Feb-2013" instead of "10 Feb 2013" but that doesn't make a difference. Chrome also shows "Expires" as "Invalid date" on the cookies tab of the response, but that might as well be a Dev Tools bug.

Any ideas?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
AndiDog
  • 68,631
  • 21
  • 159
  • 205
  • Did you try to run your code in a web-server, e.g. not at localhost? – funerr Feb 10 '13 at 18:26
  • what language are you using to write this? – TheZuck Feb 10 '13 at 18:47
  • also, Assuming you're not in GMT, what time zone are you in? – TheZuck Feb 10 '13 at 18:49
  • I'm using [ServiceStack](https://github.com/ServiceStack/ServiceStack) for the web service. My timezone is Berlin (GMT+1 currently), so that's not the problem IMO. – AndiDog Feb 10 '13 at 19:28
  • I also now tried with the server on an external host, same problem. Even changed the cookie to be simply "MyUserSession=TESTTEST", i.e. session expiry and no URL path restriction – still does not get stored! – AndiDog Feb 10 '13 at 19:51

3 Answers3

29

I think I found the solution. Since during development, my server is at "localhost:30002" and my web app at "localhost:8003", they are considered different hosts regarding CORS. Therefore, all my requests to the server are covered by CORS security rules, especially Requests with credentials. "Credentials" include cookies as noted on that link, so the returned cookie was not accepted because I did not pass

xhrFields: {
  withCredentials: true
}

to jQuery's $.ajax function. I also have to pass that option to subsequent CORS requests in order to send the cookie.

I added the header Access-Control-Allow-Credentials: true on the server side and changed the Access-Control-Allow-Origin header from wildcard to http://localhost:8003 (port number is significant!). That solution now works for me and the cookie gets stored.

AndiDog
  • 68,631
  • 21
  • 159
  • 205
4

After struggling with a similar scenario (no CORS) for hours, I found out another potential reason: be sure to explicitly set the path for the cookie.

My front-end app was making a call to HOST_URL/api/members/login, and this was returning the right Set-Cookie header, with no path.

I could see the cookie under Response Cookies in Chrome DevTools, but subsequent requests were not including it. Went to chrome://settings/cookies, and the cookie was there, but the path was /api/members.

Specifying root path when setting the cookie at server-side fixed the issue.

Manuel Pedrera
  • 5,347
  • 2
  • 30
  • 47
0

where do you get the date from?

if you add it manually try making it failproof

var exdays = 3; //3 days valid as an example
var exdate=new Date();
exdate.setDate(exdate.getDate() + exdays);
//Now set the cookie to said exdate
document.cookie = "MyUserSession =" + escape(JxQoyzYm1VfESmuh-v22wyiyLREyOkuQWauziTrimjKo=)+"; expires="+exdate.toUTCString());
itsid
  • 801
  • 7
  • 16
  • Good idea. I entered `document.cookie = "MyUserSession=JxQoyzYm1VfESmuh-v22wyiyLREyOkuQWauziTrimjKo=;expires=Sun, 10 Feb 2013 22:08:47 GMT;path=/api/rest/"` in the JS console and the cookie actually showed up in my cookie debugging extension. Very strange. – AndiDog Feb 10 '13 at 19:29
  • is it possible that you simply forgot to attach the cookie to the document in your previous code? IIRC it cannot be attached to window.cookie for example – itsid Feb 10 '13 at 23:35
  • btw it has to be `exdate.setDate(exdate.getTime() + (exhours *3600) ); //where exhours is 4 in your case` to match your desired expiration of course – itsid Feb 10 '13 at 23:41