I am currently in the process of creating a login page on the domain "example.com" that makes an Ajax request to the domain "other_domain.com." If the credentials are valid, this request will return a session cookie. My goal is to then redirect to the "other_domain.com" site and be logged in.
My solution works well with IE11, Edge, and Chrome, but I have encountered a problem with Firefox. It seems that Firefox does not set the returned cookie when redirecting to the "other_domain.com" site.
Here is the code for the ajax request:
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open('POST', 'https://other_domain.com/login', true);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onreadystatechange = function () {
if (this.status == 200 && this.readyState == 4) {
window.location.replace("https://other_domain.com/app");
}
};
xhr.send(JSON.stringify(payload));
I am able to see that the OPTIONS request succeeds and the AJAX post returns 200 OK on all browsers if the credentials are correct.
The cookie that is returned has the following values:
CreationTime: "Fri, 28 Sep 2018 12:48:49 GMT"
Domain: "other_domain.com"
Expires: "Session"
HostOnly: true
HttpOnly: true
LastAccessed: "Fri, 28 Sep 2018 12:48:49 GMT"
Path: "/"
Secure: true
sameSite: "Lax"
Additional information after being flagged as duplicate:
In the developer console, I can see that both the OPTIONS and POST requests from the provided code return the following headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://example.com
I also notice the Set-Cookie header with the correct value in the response in Firefox, but unfortunately, the cookie is not set after the redirect to other_domain.com. Even though my Firefox settings allow for third-party cookies and site data to be accepted at all times.