0

My react app (from domain react-app.com) is loaded inside a website beautiful-site.com and the requests sending from react app doesn't sending the session cookie associated with it.

The workaround I had was added the below header in server and in react app XHR requests sent with withCredentials: true

Access-Control-Allow-Origin: https://beautiful-site.com
Access-Control-Allow-Credentials: true

The issue is I can specify a particular site in Access-Control-Allow-Origin, because the react app will be added to many sites not one.

Is there any way to get the session cookie send from react app?

CaptainZero
  • 1,291
  • 1
  • 18
  • 35
  • 1
    For the origin problem, you can look at cors (npm package) configuration. It allow you to determine dynamicaly which domain can be whitelisted... – BENARD Patrick Jan 11 '20 at 10:48

1 Answers1

2

Answer is no, but you have workaround: when you set the withCredentials you can't have an Access-Control-Allow-Origin: *.

The fix must be done server side: your API service must returns domain of the request in the Access-Control-Allow-Origin, commonly taken from the Origin header.

See No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API (the How to fix “Access-Control-Allow-Origin header must not be the wildcard” problems subsection) for techincal details.

keul
  • 7,354
  • 17
  • 42