Question

30

Http requests withCredentials what is this and why using it?

rated 0 times [ 32] [ 2] / answers: 1 / hits: 43403 / 10 Years ago, wed, december 10, 2014, 12:00:00

I had a problem with CORS with node and angular and adding this option with true solved my problem.
But I don't find info about what it is and what it is doing.
Please can someone explain?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

yulissamirandah

Add To Favorites

Follow

Total Points: 493

Total Questions: 115

Total Answers: 94

Location: Lebanon

Member since Sun, Aug 2, 2020

4 Years ago

yulissamirandah questions

1 Swiper: Set custom slide to active

Fri, Jun 17, 22, 00:00, 2 Years ago

1 how to use history instance while using react routers v6?

Wed, Aug 26, 20, 00:00, 4 Years ago

1 How to activate a cdn slick-carousel?

Tue, Jan 28, 20, 00:00, 4 Years ago

1 how to create an auto hide sidebar

Mon, Nov 11, 19, 00:00, 5 Years ago

1 Map over two arrays of objects, match properties and store specific info in a new array

Fri, Oct 11, 19, 00:00, 5 Years ago

View All

answered 10 Years ago kadinl · Accepted Answer

Short answer:

withCredentials() makes your browser include cookies and authentication headers in your XHR request. If your service depends on any cookie (including session cookies), it will only work with this option set.

Longer explanation:

When you issue an Ajax request to a different origin server, the browser may send an OPTIONS pre-flight request to the server to discover the CORS policy of the endpoint (for non-GET requests).

Since the request may have been triggered by a malicious script, to avoid automatically leaking authentication information to the remote server, the browser applies the following rules :

For GET requests, include cookie and authentication information in the server request :

if XHR client is invoked with the withCredentials option is set to true

and if the server reply does not include the CORS header Access-Control-Allow-Credentials: true, discard response before returning the object to Javascript

For non GET requests, include cookie and authentication information only:

if withCredentials is set to true on the XHR object

and the server has included the CORS header Access-Control-Allow-Credentials: true in the pre-flight OPTIONS