Unanswered: Cross Domain Session Managment
I'm building a client-side solution that consumes a remote .NET web service, Here is the problem
1- The user makes a Log in request with a username and password ( done using Ext.Ajax.request )
2- The server responses with a JSON message saying that log in successful, also it responds with a cookie variable
ASP.NET_SessionId : "blahblahblahblah"
3- The user requests for some data using some web service method
4- But the server responses with 200 OK and a JSON message telling that an "AuthenticationError" has happened and "Another user with the same credentials kicked you out."
Now the problem is:
When I check the request headers in the second request, I see that the browser didn't add the cookie that was previously sent by the web service, So I don't know exactly How the web service would know that I am the user who just logged in
How can I force all requests ( after log in success) to be in the same session, should I send back the ASP.NET_SessionId cookie? How can I send it? Is there another way?
Note: All requests is done after enabling CORS in Ext.Ajax in ( e.g. "Ext.Ajax.cors = true" )
Thanks in advance
I am having the exact same problem. I have been using Sencha 2.0.1 ... but now moving to 2.1 as it allowes withCredential config in proxy which according to sencha lets you set the cookie.
BUT , question to all Sencha pros, I still havent got any confirmation from anyone that even with the 'withCredential' config turned on, subsequent ajax request sends that cookie out so that server can recognize session.
This is a serious issue as to application level security. I am amazed to see so little clarification through out the internet regarding this issue.
mitchellsimoens I believe you r pro, please do investigate the issue and tell what is the solution
Tags for this Thread