ASPXAUTH cookie not being stored after CORS request

发布于 2020-04-08 09:21:07

I've been asked to write a javascript/HTML front-end to connect to a set of WCF services. I can use Postman to hit the Logon service and I can see that on a valid logon, two cookies are set .ASPXAUTH and ASP.NET_SessionId.

When I hit the same service from my javascript code, I get a 200 response and in the network section of Chrome developer tools, I can see the Set-Cookie header in the response for each of the two cookies.

However, the cookies do not get stored in the browser so subsequent requests to the server fail because they lack the cookie credentials.

The client app is on a different domain (https://localhost:44357) than the server (http://localhost:3101) so CORS is in play. The client call is made using aurelia-http-client which is a wrapper around XMLHttpRequest. I'm using .withCredentials() which is supposed to add the credentials: true header. You can see that it is being included:

The Server is configured for CORS like so:

protected void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin","https://localhost:44357");
    if(HttpContext.Current.Request.HttpMethod == "OPTIONS")
    {
        HttpContext.Current.Response.AddHeader("Cache-Control","no-cache");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods","GET,POST,OPTIONS");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers","Content-Type,Accept,credentials");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Credentials","true");
        HttpContext.Current.Response.AddHeader("Access-Control-Max-Age","1728000");
    }
}

What am I missing? Why aren't the cookies from the WCF Server being stored by the browser?

Questioner

RHarris

Viewed

Chinese

Original

ASPXAUTH cookie not being stored after CORS request

Related issues