Session cookie not sent with XHR reqs

Antonina33 · January 11, 2020, 1:57pm

My React app (from react-app.com) is embedded in the website beautiful-site.com, but the requests sent from the React app don’t include the associated session cookie.

I have a workaround that involves adding the following headers to the server and XHR requests sent from the React app with withCredentials: true:

Access-Control-Allow-Origin: https://beautiful-site.com
Access-Control-Allow-Credentials: true

However, this limits me to specifying a particular site in Access-Control-Allow-Origin, as the React app will be embedded in multiple sites.

Is there any way to ensure the session cookie is always sent from the React app?

Cali81 · January 12, 2020, 8:02am

Yes, you can set the credentials option to include in the fetch or axios requests made by the React app. This will ensure that the session cookie is always sent with the request, regardless of the origin. Here’s an example:

fetch('https://api.example.com/data', {
  method: 'GET',
  credentials: 'include'
})

Note that this requires the server to allow credentials by setting Access-Control-Allow-Credentials: true.