Set-Cookie in HTTP header is ignored with AngularJS

Question

I\'m working on an application based on AngularJS on client side and Java for my API (Tomcat + Jersey for WS) on server side.

Some path of my API are restricted, if

Answer 1

I've managed to solve an issue very similar to yours. My Play! backend tried to set a session Cookie which I could not catch in Angular or store via browser.

Actually the solution involved a bit of this and a bit of that.

Assuming you've solved the initial issue, which can be solved only by adding a specific domain to the Access-Control-Allow-Origin and removing the wildcard, the next steps are:

1. You have to remove the HTTP-Only from the Set-Cookie header, otherwise you will never be able to receive a cookie "generated" by your angular code
   This setup will already work in Firefox, though not in Chrome

2. To make it work for Chrome too, you need to:

   a) send a different domain from localhost in the cookie, using the domain your WS are "hosted". You can even use wildcards like .domain.com instead of ws.domain.com

   b) then you'll need to make a call to the domain you specified in the cookie, otherwise Chrome won't store your cookie

   [optional] I would remove that /api path in favor of a /

And that should to the trick.
Hope to have been of some help