CORS requests with session/cookie

Question

My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed

Answer 1

I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls

Not for cross-domain requests for CORS-enabled ressources (which seems to be the case here, if I understand your described setup correctly.)

To make that happen, you need to set the withCredentials flag.