CORS requests with session/cookie

Question

My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed

Answer 1

I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls

Not for cross-domain requests for CORS-enabled ressources (which seems to be the case here, if I understand your described setup correctly.)

To make that happen, you need to set the withCredentials flag.

Answer 2

You must set withCredentials to true for cross-origin XHR requests to include cookies.

The CORS response must also say Access-Control-Allow-Credentials: true (which is why widthCredentials defaults to false).