Once upon a time, there was a bird who dreamt of joining the postal service but failed his preflight test...
Using Laravel as a RESTful API and AngularJS/ionic for the app, everything was working smoothly until suddenly... it stopped. The withCredentials setting on the Angular side seemed to be causing issues with the preflight OPTIONS not sending a cookie, even though Laravel was returning one. How can we prevent OPTIONS from returning a laravel_session cookie? This is causing CORS problems by creating a new session with every POST request. I've implemented Laravel/CORS package by @barryvdh with the configuration:
'*' => array(
'supportsCredentials' => true,
'allowedOrigins' => array('*'),
'allowedHeaders' => array('*'),
'allowedMethods' => array('POST', 'PUT', 'GET', 'PATCH', 'OPTIONS', 'DELETE'),
'maxAge' => 36000,
'hosts' => array('api.*'),
)
On the Angular side, I have:
$http({
method: 'POST',
url: 'http://api.blabla.local/banana',
data: data,
withCredentials: true
})
All GET calls are working fine, including fetching the CSRF token from Laravel at the start of the app.
The current situation is as follows:
1. Preflight OPTIONS > no session cookies in the request. Response = 200 with a different session cookie causing CSRF errors. [my belief: withCredentials doesn't work with OPTIONS call]
2. POST > fails with 500 error, headers show no response even though the cookie/session was sent. Error message indicates unauthorized origin.
What could be causing this issue? I've spent hours troubleshooting and reading other posts without success. Can we eliminate the preflight somehow or is the problem elsewhere (perhaps with Laravel Homestead)? It seems like the main problem lies in the OPTIONS request returning a session cookie or the request itself including one!
Any help would be greatly appreciated, I'm going crazy trying to solve this...