4

I've managed to make a CORS request on IE8 using XDomainRequest. However it seems the cookies are not sent on IE8. Is there any hack for that ? The request is made from buy.example.com to buy.api.example.com

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
themihai
  • 7,903
  • 11
  • 39
  • 61
  • You have set a domain for the cookie? – Pekka Mar 06 '12 at 12:19
  • 2
    IE's XDomainRequest implementation of CORS doesn't allow cookies to be passed at all, for security reasons says Microsoft.. – Sudhir Bastakoti Mar 06 '12 at 12:20
  • 2
    @Mihai Check out point 5 -> http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx – SeanCocteau Mar 06 '12 at 13:53
  • 2
    @SeanCocteau thanks for the reference Sean. Seems that microsoft did it again . Just another crap that we have to deal with. – themihai Mar 06 '12 at 15:03
  • @Neo the only way is to include the cookie values/auth token in the query string ... basically I modified our authentication filter to check for auth cookie value in the query string if cookies are not sent /detected ( we some something like example.com/API?sessionId=$cookie_session_id&other parameters ) – themihai May 14 '12 at 00:32
  • @mihai thats exactly what I ended up doing, I'm using jquery with the cookie plugin so I send the cookies as get params in ajax requests! :) – Neo May 14 '12 at 20:13
  • @Neo if you still do that make sure you are using SSL otherwise the clients are sitting ducks ! – themihai Dec 21 '13 at 09:34
  • @mihai yeah I know. lol – Neo Dec 30 '13 at 18:22

2 Answers2

3

There is no way except to include the authentication cookie value / token in the query string e.g. : 

 buy.api.example.com/?sessionId=$sessionId&otherparameters=test
and set your webservice to check the query string if cookies are not present.
themihai
  • 7,903
  • 11
  • 39
  • 61
0

There is another way. If you use SSL on the non-default https port, it will keep sending the cookies. For example, if your URL is something like this https://example.com:8443/xxxx, then it will send the cookies.

I experience the same issue you have. My web app (internal web app) was working with https but in a non standard port and it just works fine. When I configure to use 443, it stops working because the cookies are not sent by XDomainRequest object.

I hope this will help

Wins
  • 3,420
  • 4
  • 36
  • 70