Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Session Management in AJAX+CORS setting in Tomcat

I'm making AJAX requests from my web application to an Apache Tomcat 7 running on another Domain, which means that due to CORS restrictions (especially for IE 8 + 9), I cannot use any cookies (as they will be discarded).

How can I make use of session management in this case or any other alternative approach to it. Basically I have RESTful webservices that reside on Domain 1 and UI built on Angular that reside on Domain 2. So, the session is not being persisted across the domains.

Please help as how to resolve this problem or any other alternate approach to be taken.
0
Prabhudas Ch
Asked:
Prabhudas Ch
1 Solution
 
mccarlIT Business Systems Analyst / Software DeveloperCommented:
Ok, I haven't really delved into this before but by reading the CORS specifications you may be able to get the cookies to be used correctly even across multiple domains.

If you check out the CORS spec (http://www.w3.org/TR/cors/#resource-requests) in particular in section 6.1 and dot point 3 it says that setting the value of the "Access-Control-Allow-Origin" header to "*" will disable cookies, etc. So you should try setting that value to the domain that your Angular UI is running on (which also should be the value of the "Origin" header that is sent with the request, but that might not be mandatory for this to all work). Also, the spec says at that point that you should set the "Access-Control-Allow-Credentials" header to "true" (must be lowercase) for this to work too.

Can you try those 2 changes to the code in your ServletFilter and see if it helps?
0
 
Prabhudas ChAuthor Commented:
No,it did not help. I have tried the above options.

The problem is I am unable to retain the same session across the domains.

Regards,
Prabhu
0
 
RobOwner (Aidellio)Commented:
Personally I haven't attempted to get CORS to work.  

My approach has been to add my own middlewar.  In your case, on Domain 2 with the UI stuff, I also have server side software that then call the required RESTful webmethods.  The session is "passed though".  

Yes it's double handling, but it works.  I can expand on this if you're interested and have questions.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now