Ajax - jQuery redirects and HttpOnly cookies

We re using JQuery AJAX to login. The login service issues a HTTP 302, with the location being the GET for the user logged in, or (in the case of a log in failure), a REST endpoint that always returns a not authorized HTTP status. At the same time as the 302, we issue a set cookie for the JSESSIONID. The cookie is a HttpOnly cookie.

When using a straight HTTP form post, the redirect works fine, and everything is set. When using JQuery AJAX, the redirect to the GET /user/{userId} doesn t work as the cookie is not sent with the second call. This failed second call should trigger yet another redirect to the auth-failed endpoint, but it actually doesn t. Inspecting it, I see that the second call gets "canceled". What does that mean, and how do I fix the problem in the first place?

It s possible you are falling foul of the same-origin policy. Is the domain you are logging in to the same one that the page/script file was served from?

If not you ll need to use CORS (cross origin resource sharing) to get the cookie to stick.

You can learn more about it here:

http://www.html5rocks.com/en/tutorials/cors/ http://www.html5rocks.com/en/tutorials/cors/

https://developer.mozilla.org/en-US/docs/HTTP_access_control https://developer.mozilla.org/en-US/docs/HTTP_access_control