xhr.withCredentials doesn't store / send PHPSESSID cookie in CORS / AJAX request
Reported by
stefanva...@gmail.com,
Oct 17 2017
|
||||||
Issue descriptionChrome Version : Version 62.0.3202.52 (Official build) beta (64-bits) on Windows 10 Pro 1703 URLs (if applicable) : Test on https://stefanvanburen.nl/playground/test-cors-sessions/ and https://stefanvanburen.com/playground/test-cors-sessions/ Other browsers tested: Chrome: FAIL / Version 62.0.3202.52 (Official build) beta (64-bits) on Windows 10 Pro 1703 Chrome: OK / Version 61.0.3163.100 (Official build) (64-bits) on Windows 10 Pro 1703 Firefox: OK / Version 56.0 (32-bits) on Windows 10 Pro 1703 Edge: OK / Version 40.15063.674.0 on Windows 10 Pro 1703 Opera: OK / Version 48.0.2685.39 (PGO) on Windows 10 Pro 1703 Safari: OK / Version 11.0 (11604.1.38.1.7) on Mac OSX 10.11.6 Firefox: OK / Version 56.0 on Mac OSX 10.11.6 We're developing web-applications, using API request on hosted locations. The application is hosted on domain x and the API hosted on domain Y. We're using AJAX / CORS request (sending the right headers like Access-Control-Allow-Origin, Access-Control-Allow-Credentials and Access-Control-Allow-Methods from PHP), making it possible to communicate between domains. To keep information about logged in users, we're using the xhr.withCredentials option (set to true) to allow cookies to be set, in this case, the PHPSESSID cookie. This always worked, but in the latest Chrome 62 version, we noted that the PHPSESSID cookie isn't stored (and therefor also not send) anymore... What steps will reproduce the problem? (1) Go to https://stefanvanburen.nl/playground/test-cors-sessions/. Use the button [Get cookies on current domain / path] to see no cookies are available on the domain. (2) The result will show 'NO COOKIES' in the list under 'Avaliable cookies on domain:' (3) Now, go to https://stefanvanburen.com/playground/test-cors-sessions/ (note the different TLD, .com vs .nl, so different domain) and use the button [Get session id's from stefanvanburen.nl]. (4) The list under 'SessionId's, received from stefanvanburen.nl' will show a list of php-session-id's received from 5 AJAX / CORS request on stefanvanburen.nl. (5) Go back to https://stefanvanburen.nl/playground/test-cors-sessions/ and again, use the button [Get cookies on current domain / path] to see no cookies are available on the domain. (6) The result will show a list of cookies which are set on the domain stefanvanburen.nl. What is the expected result? In all browsers (see list above) who are OK, the list in step (4) shows 5 of the same PHP session-id's and the result in step (6) will show the same session-id in the PHPSESSID cookie. This is because thanks to the xhr.withCredentials option, the PHPSESSID cookie was set on the first AJAX / CORS request and was sent in the 4 request after that on the domain stefanvanburen.nl. So when getting the cookies on stefanvanburen.nl on step (6), we will see it. What happens instead? In the latest version of Chrome (62.0.3202.52 (Official build) beta) the PHPSESSID cookie isn't set. Therefore, the result on step (4) will show 5 different session id's and when getting the cookies set on stefanvanburen.nl on step (6), it will show 'NO COOKIES' in the list under 'Avaliable cookies on domain:' Additional info: When using the button [Get session id's from stefanvanburen.com] on stefanvanburen.com and the button [Get session id's from stefanvanburen.nl] on stefanvanburen.nl, the PHPSESSID cookie is stored and the list below will show 5 of the same session id's. This same happens in all other browsers calling the api.php on stefanvanburen.com from stefanvanburen.nl or vice versa. Only in the latest version of Chrome it doesn't. On Chrome 61.0.3163.100, it still works! See https://stefanvanburen.com/playground/test-cors-sessions/api.phps for the php-file which will be called in the AJAX / CORS request.
,
Oct 18 2017
,
Oct 18 2017
Thanks for the quality bug report! I get the "expected" behaviour on M61 and M63 (also on Firefox 56). I will test M62 later today when I have a chance to build it.
,
Oct 18 2017
Cannot reproduce on 62.0.3202.65.
,
Oct 18 2017
Cannot reproduce on 62.0.3202.52. Could you try again with a fresh profile?
,
Oct 18 2017
Thanks for the quick reactions and ricea for the suggestion to use a fresh profile. After more searching, testing and debugging, I found out that it worked with a clean profile, not with my current one. Under Settings > Advanced > Content Settings > Cookies, the option 'Block third-party cookies' (Prevent third-party websites from saving and reading cookie data) was enabled. After disabling this, everything now works like a charm. Because I'm the only developer running the Chrome 62 Beta and I was the only one with this problem, we thought is had to do something with the latest version, but it turned out to be a setting.
,
Oct 18 2017
Thank you for providing more feedback. Adding requester "ricea@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 18 2017
Thank you for the follow-up. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ligim...@chromium.org
, Oct 17 2017