Credentials flag is 'true', but the 'Access-Control-Allow-Credentials

Question

I am trying to connect to a ASP.NET Web-API Web Service from an AngularJS page and I am getting the following

Credentials flag is \'true\', but the \'Access-Control-Al

Answer 1

The header is added twice once by the code and the other by the web.config. The CORS support is used to allow for the addition of headers for CORS purposes. The configuration custom headers also add response headers to any request, so you may want to remove the config setting.

var cors = new EnableCorsAttribute..

<customHeaders>
    <add name="Access-Control-Allow-Origin" value="http://localhost:221" />
</customHeaders>

Since both of those areas are adding the same origin twice, you get the multiple values on the header.

When making an AJAX call with the parameter withCredentials: true, the response header should have the Access-Control-Allow-Credentials = true. You need to add that via code using SupportsCredentials = true for the CORS attributes. Otherwise you will get the error "Credentials flag is 'true', but the 'Access-Control-Allow-Credentials is ''"

For more information, on the withCredential parameter and the response header look at this article:

http://www.ozkary.com/2015/12/api-oauth-token-access-control-allow-credentials.html

hope it helps.

Answer 2

For whom, who uses WebApiConfig.cs:

config.EnableCors(new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true }); 

Answer 3

I came across this question while trying to hit a webapi on .net core from an angular2 app. I had to add AllowCredentials() to the cors configuration in my Configure method in the Startup.cs to look like the following.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    ...
    app.UseCors(builder =>
        builder
        .AllowCredentials()
        .WithOrigins("http://localhost:3000"));
    ...
}