I see that google or twitter autosuggest's sends ajax requests which are very lightweight since they don't send any cookies with the request. I was wondering how do they do it?
I googled about ways but i found ways like sending via CORS but they are sending the request to the same domain.
Any idea or ways on how to do that.
I am using chrome.
Thanks in advance
These are the two options I can think of to answer your question:
Option 1: Set withCredentials: false when using XMLHttpRequest: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
Option 2: Delete cookies before sending the request and (in the case of wanted re-use restore them afterwards from temp variable) like so:
Get cookies and store them somewhere (f.i. in global var)
Delete cookies from domain
Send AJAX request
Restore cookies from variable
Related
I have a setup where a client application is running on a different domain (http://www.example.com) than the server application (http://www.example2.com). I've got the cross domain AJAX requests working except that I cannot figure out a way to send cookies with the request without having to add the Access-Control-Allow-Origin response header for each possible domain. Is there a way to set this up without having to specify a list of domains in that header? I'm aware of the security implications so I guess what I'm really asking is ... is there another framework separate from CORS that I can use which will allow this type of setup and at the same time allow any domain for the client application? I tried JSONP but that did not work out (could not send the cookie with the JSONP request). Is there something else I should try other than CORS and JSONP? Thanks.
EDIT: This is not a duplicate of the question mentioned in the duplicate notification. I'm already aware of the withCredentials flag. The problem is that I don't want to have to specify a list of domains in the CORS response header. I want something equivalent to setting that value to '*', but setting it to '*' is not allowed if sending a cross domain AJAX request that contains cookies.
I'm sending an AJAX request to another domain, and it's sending me a response with a cookie, but document.cookie is empty. How can I make it visible? What permissions do I need? Thanks.
What you're attempting can't be done. (It's a browser security issue)
can only be solved by getting the user's browser to submit requests to each domain which will then set its own cookie.
I am using Google Analytics on an ajax heavy website. I have a timer on the website, making an XMLHttpRequest every few seconds. With every request, browser sends the Google Analytics cookies to my server. Since my server don't use these cookies, I want to somehow prevent the browser to include these cookies in every request.
including _gaq.push(['_setDomainName', 'none']); did not help!
any ideas ?
Google Analytics cookies are first party cookies.
They will be sent as every other first party cookie for each request to the same domain (and subdomains)
You need to use a different domain for your Ajax calls (but I guess it would bring some other troubles, but solutions exist : Cross Domain request )
Using a path like www.domain.com/ajax/ under which all ajax calls would happen, and create empty __utma, __utmb, __utmc and __utmz cookies with a cookie path of /ajax/ would fail.
The empy cookies will not supersede the domain cookie for these requests , but will be added first in the request order
I ended up limiting analytic cookies to my domain, then created a sub-domain for the feed ajax call running on a timer, then used jsonp for cross site compatibility. Hope this helps someone else out there.
I would do jquery ajax calls discarding every cookie, so I can have a new session for every call.
Is there a way to do this?
Thanks
AJAX request is exactly an HTTP request (XMLHTTPRequest). Cookies get sent back and forth in the AJAX request-response headers in order to maintain the state of user session across multiple HTTP requests.
HTTP is an inherently stateless protocol and hence cookies are used to maintain the state of user's session across multiple HTTP requests.
Instead of removing cookies host all your static components(like images) in a Cookie-free Domain. The following url might might give you some info in this,
http://www.ravelrumba.com/blog/static-cookieless-domain/
As Harun pointed out, maybe you should consider a wider solution than deleting a session cookie that will alter the whole user session and not only your AJAX call.
To litteraly answer your question, you could delete the cookie you've set (provided you've set by yourself and not by another framework):
$.cookie("session", null);
$.ajax( url, [settings] )
But, that's probably not the good solution because you will delete the whole user session at each ajax call. You should tell us more about what you are doing so that we could help you.
Can an AJAX response set a cookie? If not, what is my alternative solution? Should I set it with Javascript or something similar?
According to the w3 spec section 4.6.3 for XMLHttpRequest a user agent should honor the Set-Cookie header. So the answer is yes you should be able to.
Quotation:
If the user agent supports HTTP State Management it should persist,
discard and send cookies (as received in the Set-Cookie response
header, and sent in the Cookie header) as applicable.
Yes, you can set cookie in the AJAX request in the server-side code just as you'd do for a normal request since the server cannot differentiate between a normal request or an AJAX request.
AJAX requests are just a special way of requesting to server, the server will need to respond back as in any HTTP request. In the response of the request you can add cookies.
For the record, be advised that all of the above is (still) true only if the AJAX call is made on the same domain. If you're looking into setting cookies on another domain using AJAX, you're opening a totally different can of worms. Reading cross-domain cookies does work, however (or at least the server serves them; whether your client's UA allows your code to access them is, again, a different topic; as of 2014 they do).
Also check that your server isn't setting secure cookies on a non http request. Just found out that my ajax request was getting a php session with "secure" set. Because I was not on https it was not sending back the session cookie and my session was getting reset on each ajax request.