Does your filter take care about the sessions? For each CORS request I get a different JSESSIONID.
var xhr = new XMLHttpRequest(); var url = 'http://bar.other/resources/credentialed-content/'; xhr.open('GET', url, true); xhr.withCredentials = true; xhr.onreadystatechange = handler; xhr.send();
Second, the CORS Filter must also expressly state to the browser that cookies are permitted. This is advertised during the so called “pre-flight” request that the browser makes before an actual request that may involve credentials, such as cookies. The CORS Filter ships with a default configuration where credentials, such as cookies, are flagged as allowed when responding to preflight requests. To restrict this edit the
cors.supportsCredentials configuration parameter.
The Java CORS filter itself doesn’t access the cookie headers in any way, nor does it interface to the JSESSIONID.
So, to sum up, both the calling script on the browser side as well as the CORS Filter on the server side must expressly have the credentials flag enabled for cookies to pass through.
There is a snag however and it has to do with Internet Explorer. Its XDomainRequest implementation of CORS doesn’t allow cookies to be passed at all, for security reasons says Microsoft. Which is probably a good thing. So if you wish to achieve wider browser support for your cross-domain application or service you will have to use an alternative mean to cookies for storing session IDs, such as passing the token as an URL parameter.