The server side for my project provides WebApi 2.2 Client side is mobile application written in Ionic Everything runs locally in chrome, mobile app in emulation mode.
1) On the server CORS is enabled and every API controller is decorated with:
[EnableCors(origins: "*", headers: "*", methods: "*", SupportsCredentials = true)]
2) angular $http service is also configured to work with CORS:
$httpProvider.defaults.headers.post['Accept'] = 'application/json, text/javascript';
$httpProvider.defaults.headers.post['Content-Type'] = 'application/json; charset=utf-8';
$httpProvider.defaults.withCredentials = true;
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
delete $httpProvider.defaults.headers.common['X-FirePHP-Version'];
3) After user authenticates itself, I'm sending back form API controller a cookie:
var cookie = new CookieHeaderValue("user-id", result.Entity.ToString());
cookie.Path = "/";
cookie.HttpOnly = true;
cookie.Secure = true;
response.Headers.AddCookies(new CookieHeaderValue[]{ cookie });
I can see this cookie in the response header:
Set-Cookie:user-id=306d5247-1d3b-4120-b412-6ce45105397a; path=/; secure; httponly
4) In WebApi pipeline I registered global DelegatingHandler to read cookies sent with requests
The strange thing, for me, is that when I do make POST call (this request is preflighted), then in delegating handler cookies collection is empty. While changing the method AcceptVerb (both on the controller and in javascript service) to GET fixes my problem and my cookie is present.
My js service is:
var setData= function (model) {
var deferred = $q.defer();
var url = stringHelper.format(endpoints.setData, sessionId);
var config = {
url: url,
method: 'POST',
data: {
name: model.name,
email: model.email
}
};
$http(config).then(function (result) {
deferred.resolve(true);
}, function (error) {
$log.debug(error);
deferred.reject(error);
});
return deferred.promise;
}
Important notice: Making POST calls to the same endpoint from Postman works correctly.
Does anyone have a similar problem? Thanks
I finally figured it out:
1) after comparison of working GET request with failing POST, I noticed that GET wasn't preflighted with OPTIONS, while POST was 2) in the CORS definig materials I read that OPTIONS are not sending any cookies
As a resolution I added checking request method in my DelegatingHandler - so it's passing OPTIONS methods down into pipeline without checking for autentifiaction cookie.
Hope that will help someone :)