4

I'm porting a client-side library for an API from JSONP to CORS. I have set all the correct headers in the server and done all the indicated things in the client, but I have a problem regarding cookies. That API auth method works with cookies. With JSONP, it made a GET request to the API with the API key as a parameter. Then the server set a cookie at api.io.holalabs.com (API URL), so the next time it does a call to the API the server requests the cookie and make the login. The problem is that, although I see Set-Cookie in the headers, the cookie is not set at api.io.holalabs.com so the login fails. These are my headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version
Access-Control-Allow-Methods:GET
Access-Control-Allow-Origin:http://holalabs.com
Access-Control-Expose-Headers:X-Api-Version, X-Request-Id, X-Response-Time
Connection:close
Content-Length:13
Content-MD5:RjkY1fW5i5MKifxPk+r4tg==
Content-Type:application/json
Date:Fri, 13 Apr 2012 16:06:56 GMT
Server:nginx/1.0.14
Set-Cookie:apikey.sig=DYyrzLFUfJSjsmK5crkxHQg-rxQ; path=/; httponly
X-Api-Version:1.0.0
X-Request-Id:c78b4223-1caf-42db-a99e-b075bdc10ea5
X-Response-Time:2

EDIT: Using cookies in a API is a horrible idea, so now we are using a header to auth the user. Issue closed!

4

1 に答える 1

0

Issue is supposedly closed, but if anyone encounters this problem and need to use cookies, here's one possible explanation and solution:

Explanation

The session ID is sent as a cookie, and since the request is cross-domain, it's considered a third party cookie by the browser. Several browsers will block third-party cookies, and the session is lost.

Solution

Generate the session ID on the client (in the browser), use Javascript sessionStorage to store the session ID then send the session ID with each request to the server.

(Details: Javascript Cross-Domain Request With Session)

于 2014-12-18T08:31:49.150 に答える