rasulsafa
commented
4 years ago Hm, I made this pull request almost three years ago - I don't really remember why I closed it. I'll make a small tweak and reopen it.
Open rasulsafa opened 7 years ago
rasulsafa
commented
4 years ago Hm, I made this pull request almost three years ago - I don't really remember why I closed it. I'll make a small tweak and reopen it.
rasulsafa
commented
4 years ago I don't have time to test this until the weekend so if you or someone else would like to that would be great.
luziusmeisser
commented
4 years ago Thanks for reactivating. I got the cookies working, but it was a very painful experience. There are many things that need to be done just right in order for a modern browser to accept the cookie in a cross-site environment.
For those who are interested in what it takes besides setting the secure flag:
res.addHeader("Access-Control-Allow-Origin", session.getHeaders().get("origin"));
res.addHeader("Access-Control-Allow-Credentials", "true");And then of course you also need to handle the pre-flight OPTION request:
if (session.getMethod() == Method.OPTIONS) { Response resp = NanoHTTPD.newFixedLengthResponse(""); resp.addHeader("Access-Control-Allow-Methods", "OPTIONS, POST, GET"; resp.addHeader("Access-Control-Allow-Headers", "X-PINGOTHER, Content-Type"); return resp; }
Furthermore, the browser might demand the domain to be set in the cookie.
All in all, it takes much more than just the secure flag to get it working. But I'm not sure inhowfar NanoHTTPD should support it. Its not called MicroHTTPD after all. :)
Why is this closed?
I'd love to see this.