3 servers on same domain. Custom membership provider with forms authentication.
Authentication between 1 and 2 works ok. Auth cookie is being set in browser as expected. Consuming webapi methods directly from browser works ok.
Problem: ExtJs REST proxies in server #3 are not sending the authorization cookie. Server responds all OPTIONS and GET with 401 Unauthorized.
I would really apreciate any help. Thanks.
Request headers:
GET /api/codigos/?aux=xtiposoli&_dc=1364785770273&page=1&start=0&limit=25&filter=%5B%7B%22property%22%3A%22nombre%22%7D%5D HTTP/1.1
Host: webapi.pruebas.com:8888
Connection: keep-alive
Origin: http://users.pruebas.com:8889
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
Accept: */*
Referer: http://users.pruebas.com:8889/app.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: es-ES,es;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response headers:
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcVG9ueU1heW9yYWxcRHJvcGJveFxQcm95ZWN0b3NcTmV0MjAxMlxTRVNcU0VTLldlYkFwaVxhcGlcY29kaWdvc1w=?=
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Date: Mon, 01 Apr 2013 03:09:35 GMT
Content-Length: 71
I managed to resolve this with the following changes:
ExtJs Application Launch:
Ext.Ajax.useDefaultXhrHeader = false;
Ext.Ajax.withCredentials=true;
WebApi's web.config:
<add name="Access-Control-Allow-Credentials" value="true" />
<add name="Access-Control-Allow-Origin" value="http://users.pruebas.com:8889" />
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />