Main | RealPlayer 11 Beta »

September 06, 2007

How to send a Cookie with an xmlHttpRequest from IE

I'm not sure if this was just me, or if anyone else has ever struggled with this. I did some Googling and found a few posts related to other people trying to do a similar thing and encountering the same problem.

The problem I encountered was when I used an xmlHttpRequest in IE (IE only. I didn't see this behavior in any other browsers...), it did not send the Cookie(s) for the current session with the request. Also, if I tried to set the Cookie header directly using setRequestHeader("Cookie",foo) the Cookie value would arrive blank at the server.

I determined this by writing a cgi script to print out all request headers for a given request to a log file so I could track them.

The interesting thing I noticed is if I instead used a custom header setRequestHeader("MyHeader",foo) rather than the Cookie header, the custom header and value would arrive intact at the server. So what I did was wrote a conditional statement into the server code that first checked for the existence of the Cookie value, and if it did not exist, it checked for the existence of MyHeader to get the Cookie value.

It seems to work around the problem in IE, and it has also worked in Opera, FireFox and Safari with no problems/errors. There may be an explanation for the IE behavior that involves me being wrong/trying to do something restricted by protocol/blah blah blah...but either way you look at it, I need to get it done, so this at least worked. Hopefully it will help somebody.

Posted by stm at September 6, 2007 08:51 AM

Trackback Pings

TrackBack URL for this entry:
http://blog.case.edu/stm/mt-tb.cgi/15265

Comments

Perhaps you're running into:
"PRB: XMLHttpRequest setRequestHeader Method and Cookies": When using the XML Document Object Model (DOM), the setRequestHeader method on the XMLHttpRequest object does not seem to set cookie headers as expected. The first call to setRequestHeader using the Cookie HTTP header seems to have no effect.

http://support.microsoft.com/?id=234486

Posted by: Joe Tan at September 8, 2007 04:36 PM

Joe, that is a very good suggestion. However, I had found that article while researching the problem, and following the fix described in the article did not alter the behavior I was seeing. I think it is also interesting that at the end of the article they say it is better to set the Cookies using the Set-Cookie header from the server. That is what I am doing, and the cookie exists in the document.cookie object upon page load, but it just will not send it with the xml request. Sorry, it may also be relevant to add the only version of IE I was using to test was version 7. Thank you for the suggestion.

Posted by: stm at September 10, 2007 08:22 AM

I had this problem before, thanks for the fix

Posted by: Angry at May 30, 2008 01:08 PM

This might explain what you saw: http://drupal.org/node/322563. Are you using iframes by any chance?

Posted by: sits at November 25, 2008 07:53 PM

sits, thanks for the link. I actually was not using iframes, but I would venture to guess the problem was related to the same phenomena. I have not tested this since last year so the IE7 behavior may have changed in the meanwhile. I probably should try this again and maybe post a code example...

Posted by: stm at November 25, 2008 11:49 PM

The cookie could well be HttpOnly (an attribute invented by microsoft) so it's not available to Javascript. This was initially only supported in IE but now firefox (3+) etc. support it...

Posted by: Dan at June 9, 2009 10:03 AM

Thanks for the suggestion Dan. That would explain the problem, but the Cookie is available in JavaScript, as its value is set fine on the custom header. In my javascript I have something like:

x.setRequestHeader("Cookie",foo)
x.setRequestHeader("CustomCookie",foo)

and CustomCookie comes out with the correct value at the server but the standard Cookie is blank.

It is good to be aware of the HttpOnly behavior though so thanks for the heads up. I had not heard of that before.

Posted by: stm at June 10, 2009 02:06 PM

Post a comment

¡Comment registration is required but no TypeKey token has been given in weblog configuration!