Level 75
Where is other domain, is it a subdomain. See https://laracasts.com/discuss/channels/laravel/subdomain-single-auth-across-all-subs-main-not-working
Nov 9, 2022
11
Level 1
Ajax request to other domain to get user info data
Hi:
I have my maindomain.com project.
In other site othersite.com, I want to show an icon if the user is logged in the maindomain.com
I do an Ajax request, and do the CORS stuff (by the way, this library works perfectly https://github.com/fruitcake/laravel-cors)
But when I request the ajax from othersite.com to the URL maindomain.com/check-user, I don't get the right information.
That controller is simple:
return (Auth::check() ? 1 : 0)
NOTE: Well, actually this is the test ... in the real world I will return the name and avatar so they will just click on it and go from othersite.com to maindomain.com ;-)
But as I said, ajax is returning 0
If I go in the same browser to maindomain.com/check-user... it returns 1, since I'm logged !!!
What can be happening?
By the way,
- ajax request is using xhrFields: { withCredentials: true },
- Access-Control-Allow-Origin, Access-Control-Allow-Headers and Access-Control-Allow-Methods headers are not using wildcard (as suggested here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials)
Level 1
@jlrdw No, it's a whole different domain name :-P with subdomains is easy ;-)
Level 75
@skater if a different domain have you considered setting up passport and making this domain an API.
Level 1
@jlrdw and what's the point ? to perform a request from other_site.com to maindomain.com (where the API is) ? and how can the API knows the user is logged in that browser ?
Level 75
@skater look up and make sure you are using the correct headers.
Level 1
@jlrdw again ... how is possible to perform a API REQUEST from domain2.com and get information of logged user of domain1.com in that browser ... that's impossible !
Level 75
@skater last answer I didn't mention API I mean using cors.
Level 1
@jlrdw And we get back to the original question ... CORS is what I'm using ,.. but I can not get it work... please, read the original question
Level 75
return (Auth::check() ? 1 : 0)
Are you sure it doesn't need to be a json response? And curious, why not have all on same domain with sub domains if all of these are your sites.
If the other site in not yours they might not allow such a request.
Edit:
And you do have,
Access-Control-Allow-Origin: https://thesite and not a * ?
Level 1
@jlrdw Different domains is a strategic marketing and company decision... it has to be like that.
And yes, as I explained: Access-Control-Allow-Origin, Access-Control-Allow-Headers and Access-Control-Allow-Methods headers are not using wildcard (as suggested here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials)
Level 1
This will simply not work, because when you do ajax request to different domain, the ajax request wont sent cookie data that is needed to authenticate user. Even though your user is logged on another domain, browser wont use those cookies when doing ajax request from another domain.
I tried: ajax requests, embeding url in <script tag, embeding as iframe
Those all wont sent cookie information that is needed for that.
One possible solution is to open the window with external page and then manipulate it through opener. Not sure if this will work, and also might be problematic because browsers block those popups usually - so seems not very reliable method.
Other thing that might work is doing some redirects. When user enter the page, you do simple redirect (document.location ="..") to the other domain to a specific url. Then on the other domain on specific url you check if user is logged in (it was redirect so browser should send the cookies), and you redirect back to original site with some prepared parameters like some token that you can use to authenticate user on this site, then you save some session data to avoin redirects loop. This should work ... in theory :)
Please or to participate in this conversation.