Session Management in AJAX+CORS setting in Tomcat

I'm making AJAX requests from my web application to an Apache Tomcat 7 running on another Domain, which means that due to CORS restrictions (especially for IE 8 + 9), I cannot use any cookies (as they will be discarded).

How can I make use of session management in this case or any other alternative approach to it. Basically I have RESTful webservices that reside on Domain 1 and UI built on Angular that reside on Domain 2. So, the session is not being persisted across the domains.

Please help as how to resolve this problem or any other alternate approach to be taken.
Prabhudas ChAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mccarlIT Business Systems Analyst / Software DeveloperCommented:
Ok, I haven't really delved into this before but by reading the CORS specifications you may be able to get the cookies to be used correctly even across multiple domains.

If you check out the CORS spec (http://www.w3.org/TR/cors/#resource-requests) in particular in section 6.1 and dot point 3 it says that setting the value of the "Access-Control-Allow-Origin" header to "*" will disable cookies, etc. So you should try setting that value to the domain that your Angular UI is running on (which also should be the value of the "Origin" header that is sent with the request, but that might not be mandatory for this to all work). Also, the spec says at that point that you should set the "Access-Control-Allow-Credentials" header to "true" (must be lowercase) for this to work too.

Can you try those 2 changes to the code in your ServletFilter and see if it helps?
0
Prabhudas ChAuthor Commented:
No,it did not help. I have tried the above options.

The problem is I am unable to retain the same session across the domains.

Regards,
Prabhu
0
RobOwner (Aidellio)Commented:
Personally I haven't attempted to get CORS to work.  

My approach has been to add my own middlewar.  In your case, on Domain 2 with the UI stuff, I also have server side software that then call the required RESTful webmethods.  The session is "passed though".  

Yes it's double handling, but it works.  I can expand on this if you're interested and have questions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Services

From novice to tech pro — start learning today.