CORS $.ajax session cookies (access-control-allow-credentials & withCredentials=true)

Question

I realize this question has been asked a dozen or more times and each response given indicates I am doing it right but perhaps I am missing something.

AJAX serves up

Answer 1

async: false

was preventing the session cookie from being sent back to the server on each request. The following fixed it.

async: true

Although this does allow for the session cookie to get set by the browser when making a cross origin request sharing call, I am now experiencing problems regarding the following scenario:

Server A sends response to client Client using CORS makes request of server B

XMLHttpRequest -> PHP -> Session handler -> MySQL -> Stored Procedure 

Due to the MUTEX locks in the PHP session management the asynchronous nature and apparently, requirement may force a work around of manually setting the cookie with a different header option such as XCookie or something similar to keep the servers session and client requests synchronized.

This particular work around does not sit well with me as I believe it would open up an easy lane of travel for session hijacking and session replay attack vectors.

Using an SSL/TLS wrapped connection may assist in preventing the above scenario but in terms of independently providing security measures for the client I do not believe this should suffice.

Anyone with any thoughts on this?

Answer 2

In your example above, you are setting the Access-Control-Allow-Origin header to 'http://someotherdomain.com', which is the same as the url you are requesting from JQuery. The Access-Control-Allow-Origin header should be the value of the domain the request is coming from. As a quick, test, try setting the value of this header to '*' (without the quotes) and see if it works ('*' means all domains are allowed).