Cross Origin Resource Sharing with Credentials

Question

I have a common authentication form across multiple subdomains (example.com, blog.example.com, and app.example.com). The login form must submit this data to example.com irre

Answer 1

// cross domain
header("Access-Control-Allow-Origin: ".$_SERVER['HTTP_ORIGIN']);
header('Access-Control-Allow-Credentials: true');

Answer 2

Two thoughts:

1) are you also including the "Access-Control-Allow-Credentials: true" header? This is needed for passing cookie credentials (and the corresponding XHR client must set .withCredentials = true)

2) Have you tried the suggestion from your link and only include the origin for the current request. For example, if a request comes in with the header "Origin: http://blog.example.com", you would respond with "Access-Control-Allow-Origin: http://blog.example.com", and not a list of origins. This requires a little more work on your server side implementation.

3) One other thought, you mention that you have a single login form that must be shared by various domains. Well, if it is a standard HTML form, you can do a regular form-post across domains. You don't need to use CORS. Just set the "action" property of the form to the url you wish to post to. For example:

<form name="login" action="http://login.example.com/doLogin">