Cross-domain AJAX withCredentials, PHP returns header content-lenght, but no content

Question

I am trying to send a cross domain request from a page on one domain to a PHP server on an other domain. Everything works fine without credentials (I need session) but as soon a

Answer 1

When setting headerAccess-Control-Allow-Credentials to true, you cannot use a wildcard for header Access-Control-Allow-Origin. That is, a specific host must be specified.

Instead of:

Access-Control-Allow-Origin: *

Use:

Access-Control-Allow-Origin: http://safedomain.com

You can even set the Access-Control-Allow-Origin header to the Origin header received in the request. Not sure about PHP, but using the Java Servlets API:

String origin = request.getHeader("Origin");    
request.setHeader("Access-Control-Allow-Origin", origin);