Problem with cookie and cross-domain XHR\iframe

Posted 10 months ago by tweet9ra

Hi. I have a problems with cross-domain requests: missing Cookie header in request.

Test page:

Route::any('/test', '[email protected]');
public function test() {
        \Session::push('test', '+');
        return [\Session::get('test')];
    }

After i refresh page foo.loc/api/test 5 times i have this output:

[["+","+","+","+","+"]]

But when im going to bar.loc, which contains this iframe:

<iframe src="http://foo.loc/api/test"></iframe>

I have this response:

[["+"]]

Im using laravel cors, config:

'supportsCredentials' => true,
    'allowedOrigins' => ['*'],
    'allowedHeaders' => ['*'],
    'allowedMethods' => ['*'], 
    'exposedHeaders' => [],
    'maxAge' => 0,
    'hosts' => [],

Kernel.php:

protected $middlewareGroups = [
        'api' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Barryvdh\Cors\HandleCors::class,
            'throttle:60,1',
            'bindings',
        ],
    ];

config/session.php:

'driver'    => 'file',
'lifetime'  => '120',
'expire_on_close' => false,
'encrypt' => false,
'files' => 'framework/sessions',
'secure' => false
'http_only' => false,
'same_site' => 'lax',

Please sign in or create an account to participate in this conversation.

Reply to

Use Markdown with GitHub-flavored code blocks.