JSESSIONID without cookie?

Posted by BartMille on 11-Apr-2017 10:35

We're developing a REST-api using OERealm form-based authentication (oe 11.5).

The goal is to create an independent api that will be used by our Angular developers to create a website. We prefer to use a token instead of something like basic security.

Everything works when you work with the standard login-form in the browser. A cookie (jessionid)  is generated & passed around. 

But, when I try to use ajax, it fails. I know (/think) the cookie can't be used from javascript. But I was under the impression that the X-CLIENT-CONTEXT-ID could be used instead of the cookie.

I can't get this to work however.

So, my question: is it possible to access the api passing around a token in the header (or body)?

If so, any ideas how?

I've tried something like this, but it returns "forbidden":

$(document).ready(function () {
alert("before call");
$.ajax({
url : "localhost:8980/.../customer",
headers: {"X-CLIENT-CONTEXT-ID": "F4913D668091CB818096F31FC70801E8" },
type : 'GET',
contentType: "application/json",
success : function (data) {
alert("ok");
debugger;

},
error : function (data, errorThrown) {
alert(errorThrown);
debugger;
}
});
});

Posted by bronco on 12-Apr-2017 01:51

I think your answer is in: [View:http://stackoverflow.com/questions/2870371/why-is-jquerys-ajax-method-not-sending-my-session-cookie:550:50]

in short:

$.ajax({
   url: a_cross_domain_url,
   xhrFields: {
      withCredentials: true
   }
});

All Replies

Posted by bronco on 12-Apr-2017 01:51

I think your answer is in: [View:http://stackoverflow.com/questions/2870371/why-is-jquerys-ajax-method-not-sending-my-session-cookie:550:50]

in short:

$.ajax({
   url: a_cross_domain_url,
   xhrFields: {
      withCredentials: true
   }
});

Posted by BartMille on 12-Apr-2017 06:54

Thx for your answer. I stumbled on the same solution as yours. And indeed, it solved my problem.

Only now I'm wondering: what is the purpose of having the 'x-client-contextid' at the client?

Posted by bronco on 12-Apr-2017 07:19

well, it seems that at least the JSDO needs it:

community.progress.com/.../18846

This thread is closed