I have a website that uses asynchronous http requests (ajax, to use the common misnomer) for performing login and registration. The authentication cookie is set by the asynchronous request and it all works great.
I recently locked down the registration and login actions to require https. Everything appears to work, except that the authentication cookie returned isn t functioning properly and the user doesn t actually get logged in.
In Chrome, in the development tools, under resources, it doesn t show any cookies having been created. If I go to the Chrome settings and view all the cookies, I can see that a cookie has been created. Perhaps it s encrypted and not readable?
So, to summarize:
- The initial page is loaded using normal HTTP
- The Login action is an asynchronous HTTPS request
- The authentication cookie returned by the HTTPS request doesn t seem to be working
How do I get this to work?
A couple things I should note:
- This is not a CORS issue.
- I am aware of the potential man-in-the-middle attack. This website does not house sensitive data. I m attempting to do something very similar (if not exactly the same) to what reddit is doing.
