jQuery redirects and HttpOnly cookies
https://stackoverflow.com/questions/9935734
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We're using JQuery AJAX to login. The login service issues a HTTP 302, with the location being the GET for the user logged in, or (in the case of a log in failure), a REST endpoint that always returns a not authorized HTTP status. At the same time as the 302, we issue a set cookie for the JSESSIONID. The cookie is a HttpOnly cookie.
When using a straight HTTP form post, the redirect works fine, and everything is set. When using JQuery AJAX, the redirect to the GET /user/{userId} doesn't work as the cookie is not sent with the second call. This failed second call should trigger yet another redirect to the auth-failed endpoint, but it actually doesn't. Inspecting it, I see that the second call gets "canceled". What does that mean, and how do I fix the problem in the first place?
Solution
It's possible you are falling foul of the same-origin policy. Is the domain you are logging in to the same one that the page/script file was served from?
If not you'll need to use CORS (cross origin resource sharing) to get the cookie to stick.
You can learn more about it here:
http://www.html5rocks.com/en/tutorials/cors/
https://developer.mozilla.org/en-US/docs/HTTP_access_control
