had to add
xhrFields: {
withCredentials: true
},
as an ajax param and
response.addHeader("Access-Control-Allow-Origin",
request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
as my response headers