i struggle with a Cookie that is set trough a CORS request. Subsequentially the browser won't send the cookie.
I tried:
The Application (Browser) runs on the main domain (dev.mydomain.com/myApp)
and sent's a request (via a integrated WebComponent) to another domain (second.mydomain.com), that set's the cookie.
POST https://second.mydomain.com/verifyToken => 200
It responds:
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: https://dev.mydomain.com
Access-Control-Expose-Headers: Authorization
Access-Control-Allow-Credentials: true
Authorization: Bearer eyJra...
Set-Cookie: refreshToken=eyJra...; Path=/refresh; Secure; HttpOnly; SameSite=None
The Request that should contain the cookie looks like this:
GET https://second.mydomain.com/refresh => 400
GET /refresh HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
DNT: 1
Host: second.mydomain.com
Origin: https://dev.mydomain.com
Referer: https://dev.mydomain.com/
The Response-Headers:
HTTP/1.1 400
Date: Mon, 20 Nov 2023 12:05:41 GMT
Content-Length: 0
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: https://dev.mydomain.com
Access-Control-Expose-Headers: Authorization
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
Can anyone give me a hint, why the cookie is not attached?
I also tried setting the Domain= Attribute in the cookie. But the default behaviour should pick the request-url as domain (in this case: second.mydomain.com)
The request is sent via axios rest-client
axios.get(refreshPath, {withCredentials: true});
I would really appreciate any hints.
Best Regards Alex
Credits to @CBroe
The correct solution was, to use withCredentials=true with the initial request, that will lead to the response setting the Cookie!