Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread |
Messages 1 to 8 of 8 total |
Cookie anyone? |
Thu, Jun 13 2019 7:02 AM | Permanent Link |
Matthew Jones | Okay, I'd like to use Cookies for a system. The server returns the cookie in the response, but my next call using a TServerRequest doesn't send it. What are the steps needed to make it work?
Do I need to read the cookie from the response header and add it to Cookies, and that's it? Or do I need to read the cookies and put them in the next request? (I'm only working in the IDE right now, in case that affects anything) -- Matthew Jones |
Thu, Jun 13 2019 7:18 AM | Permanent Link |
Matthew Jones | Matthew Jones wrote:
> Do I need to read the cookie from the response header and add it to Cookies Interesting - in PAW I see that there is a header returned called "Set-Cookie". But when I log the request.RequestHeaders there is no such header. Do I have to pass in an "accept cookies" header or something in the original call? -- Matthew Jones |
Thu, Jun 13 2019 7:32 AM | Permanent Link |
Matthew Jones | Matthew Jones wrote:
> Interesting - in PAW I see that there is a header returned called "Set-Cookie". Running in Chrome, there is no cookie passed (or at least, not shown in the debug info). I'm confused! -- Matthew Jones |
Thu, Jun 13 2019 7:36 AM | Permanent Link |
erickengelke | "Matthew Jones" wrote:
Matthew Jones wrote: >> Interesting - in PAW I see that there is a header returned called "Set-Cookie". >Running in Chrome, there is no cookie passed (or at least, not shown in the debug info). I'm confused! I use a lot of cookies, they work well. I'm certain the problem is in your server code not passing the cookie. If you are using PHP, setcookie() is your friend, but you have to call it before sending any body output, as it is part of the header. Erick EWB Programming Books and Component Library http://www.erickengelke.com |
Thu, Jun 13 2019 7:38 AM | Permanent Link |
Matthew Jones | Hmm, there is an undocumented "CrossOriginCredentials" option that says something about Cookies. Given I'm accessing a different host in my requests, I guess that is something. Back when I've dug deep.
-- Matthew Jones |
Thu, Jun 13 2019 8:15 AM | Permanent Link |
Matthew Jones | erickengelke wrote:
> I'm certain the problem is in your server code not passing the cookie. Hmm, I'm not! Just been experimenting, and if I set this CrossOriginCredentials, then the cookie is set (it isn't shown in the debug header info though in Chrome). But, the call fails with the browser complaining about something or other to do with CORS. So the cookie is coming out. This is probably some CORS thing, and this is a core requirement of the system. Grrr. -- Matthew Jones |
Thu, Jun 13 2019 8:48 AM | Permanent Link |
Matthew Jones | Matthew Jones wrote:
> This is probably some CORS thing https://stackoverflow.com/questions/43114750/header-in-the-response-must-not-be-the-wildcard-when-the-requests-credentia/43409061 Okay, the server was sending the '*' as the accept, but Chrome doesn't like that if I set the (required) CrossOriginCredentials option. So I've set the CORS policy to be an explicit server, and it works. -- Matthew Jones |
Fri, Jun 14 2019 8:58 AM | Permanent Link |
erickengelke | "Matthew Jones" wrote:
Matthew Jones wrote: > This is probably some CORS thing >https://stackoverflow.com/questions/43114750/header-in-the-response-must-not-be-the-wildcard-when-the-requests-credentia/43409061 >Okay, the server was sending the '*' as the accept, but Chrome doesn't like that if I set the (required) CrossOriginCredentials option. So I've set the CORS policy to be an explicit server, and it works. Ah, that would be correct. It's best to limit cookies to sites you have control over, or trust, rather than *. There are some additional issues with CORS, such as browsers with ad blocking will often fail because they assume CORS is ads. And it raises all sorts of stink with security people looking at your code. But since you say it is a requirement, I'll mention that a good solution to eliminate CORS while having separate servers do the work, is to use a reverse proxy with Apache or NGinx. There you define a subdirectory in your Web tree as being something the server passes on to another server. That also passes cookies, BTW. Erick Erick EWB Programming Books and Component Library http://www.erickengelke.com |
This web page was last updated on Friday, November 1, 2024 at 07:01 PM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |