Cross domain login check?

Question

I have bookmarklet. If I open a random page (not mine) and click the bookmarklet, I would like to check if the user is logged in on my page.

I am already doing Cross-Domain AJAX Request using Access-Control-Allow-Origin, but it looks like there is not Session ID or cookie send here.

Is there a way to do this?

Don't forget to add DELETE and PUT to the Access-Control-Allow-Methods if you are using REST — E. Fortes, Mar 25 '13 at 14:57

score 4 · Accepted Answer · edited May 23 '17 at 12:23

Alex is right! Here the full solution. (It does not work with IE8 and IE9!)

You need to set withCredentials on the client side. Since jQuery 1.5.1 you can do it like shown below (Source). For older Version follow the white rabbit.

$.ajax({
   url: a_cross_domain_url,
   xhrFields: {
      withCredentials: true
   }
});

On the server side you have to allow setting options, allow the credentials and allow to origin. Wildcard origin is not allowed! But you can read out the origin from the request header :)

// auto adapted Access Control to origin from request header.
$headers = apache_request_headers();
foreach ($headers as $header => $value) {
    if ($header == 'Origin')
        header('Access-Control-Allow-Origin: ' . $value, true);
}
// send cookies from client
header('Access-Control-Allow-Credentials: true', true);
// allow all methods
header('Access-Control-Allow-Methods: GET, POST, OPTIONS', true);

score 2 · Answer 2 · edited May 23 '17 at 11:45

2

You have to set the credentials flag to true and also the header Access-Control-Allow-Credentials

See also here: Firefox: Cross-domain requests with credentials return empty

edited May 23 '17 at 11:45

Community

1
1

answered Dec 08 '11 at 17:51

Alex

32,506
16
106
171

Cross domain login check?

2 Answers2