javascriptjavahttpcookiescors

Browser doesn't send Cookie when set trough cors-request


i struggle with a Cookie that is set trough a CORS request. Subsequentially the browser won't send the cookie.

I tried:

  • adjusting cors-headers
  • sending allowCredentials client-side
  • SameSite=None flag

The Application (Browser) runs on the main domain (dev.mydomain.com/myApp)

and sent's a request (via a integrated WebComponent) to another domain (second.mydomain.com), that set's the cookie.

POST https://second.mydomain.com/verifyToken => 200

It responds:

Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: https://dev.mydomain.com
Access-Control-Expose-Headers: Authorization
Access-Control-Allow-Credentials: true
Authorization: Bearer eyJra...
Set-Cookie: refreshToken=eyJra...; Path=/refresh; Secure; HttpOnly; SameSite=None

The Request that should contain the cookie looks like this:

GET https://second.mydomain.com/refresh => 400

GET /refresh HTTP/1.1

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
DNT: 1
Host: second.mydomain.com
Origin: https://dev.mydomain.com
Referer: https://dev.mydomain.com/

The Response-Headers:

HTTP/1.1 400
Date: Mon, 20 Nov 2023 12:05:41 GMT
Content-Length: 0
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: https://dev.mydomain.com
Access-Control-Expose-Headers: Authorization
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff

Can anyone give me a hint, why the cookie is not attached?

I also tried setting the Domain= Attribute in the cookie. But the default behaviour should pick the request-url as domain (in this case: second.mydomain.com)

The request is sent via axios rest-client

 axios.get(refreshPath, {withCredentials: true});

I would really appreciate any hints.

Best Regards Alex


Solution

  • Credits to @CBroe

    The correct solution was, to use withCredentials=true with the initial request, that will lead to the response setting the Cookie!