From what I have read, it is impossible to send a cookie across domains, (as I understand the browser blocks them for privacy reasons). However I hope someone can tell me about a work around.

I've achieved this in our .Net winForms client, however I can't get it to work on our web software.

Scenario: I have my web site, this needs to call a 3rd party system that uses a rest implementation with XML that exists inside the customers firewall and can not be accessed from outside of their offices (VPN is not an option either).

I set my cookie:

$.cookie('name', 'value', {path : '/', domain : '192.168.254.164'});

and make post request

$.post(call, function(d) {}, 'text')
.success(function(d) {... /*do something*/

However, the cookie is not sent (see my request and response headers below)

Request Headers
Accept    text/plain, */*; q=0.01
Accept-Encoding   gzip, deflate
Accept-Language   en-gb,en;q=0.5
Connection    keep-alive
Host  192.168.254.164:8080
Origin    http://localhost:27249
Referer   http://localhost:27249/index.html
User-Agent    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0


Response Headers
Access-Control-Allow-Orig...  http://localhost:27249
Cache-Control no-cache
Content-Type  application/xml;charset=UTF-8
Date  Tue, 01 May 2012 15:14:58 GMT
Server    Sun Java System Application Server 9.1_01
Set-Cookie    JSESSIONID=8f7fbcd40348c0b5d912830bca8a; Path=/App
Transfer-Encoding chunked
X-Powered-By  Servlet/2.5

The response I receive tells me that I am unauthorised (this is because the cookie is not set).

I can not modify anything on the 3rd party's server, so on proxy's and I can't use JSONP as everything is in XML.

For debugging I tried to read the cookie before I send, but it results in 'null':

alert($.cookie(_svcMnuCookieSessionIdKey));

I'm new to web dev, so this may be a strange question - but as you can see from the response header I believe I am receiving a cookie (I receive the same cookie when I log in) - as the browser deals with cookies, shouldn't it save it and apply it to my requests automatically? rather than me having to manually add it as above? though saying that, the JSESSIONID looks to have different values in both requests and the spec says I must use the original JSESSIONID I get when I've logged in as the value of my cookie.

In my .Net app I do it similar to this:

 Dim httpWebRequest As Net.HttpWebRequest = CType(Net.WebRequest.Create("http://192.168.254.164:8080/App/RestfulService"), Net.HttpWebRequest)

 httpWebRequest.UserAgent = My.Application.Info.AssemblyName
 httpWebRequest.KeepAlive = True 'set the connection keep-alive (this is the default)
 httpWebRequest.Headers.Set(Net.HttpRequestHeader.Pragma, "no-cache") 'we don't want caching to take place so we need to set the pragma header to say we don't want caching
 httpWebRequest.Method = "POST"

 If Not String.IsNullOrEmpty(_sessionId) Then 'it isn't used on some request, so don't add it if it is nothing
     Dim cookie As New System.Net.Cookie("JSESSIONID", _sessionId)
     cookie.Domain = New Uri("http://192.168.254.164:8080/App/RestfulService").Host
     httpWebRequest.CookieContainer = New Net.CookieContainer
     httpWebRequest.CookieContainer.Add(cookie)
 End If

 httpWebRequest.ContentType = "application/x-www-form-urlencoded"

 Dim postData As Byte() = New System.Text.UTF8Encoding(False).GetBytes(RichTextBox1.Text)

 httpWebRequest.ContentLength = postData.Length

 Using tmpStream As IO.Stream = httpWebRequest.GetRequestStream
     tmpStream.Write(postData, 0, postData.Length)
 End Using

 Dim httpWebResponse As Net.HttpWebResponse = CType(httpWebRequest.GetResponse, Net.HttpWebResponse)

 If WebValidation.WebResponseHasContent(httpWebResponse) Then

     Dim str As String = String.Empty
     'Read the raw HTML from the request
     Using sr As New IO.StreamReader(httpWebResponse.GetResponseStream, System.Text.Encoding.UTF8)
         str = sr.ReadToEnd
     End Using

 End If

Return str

So, is this a cross-domain cookie request? and how can I recreate this functionality in my web client?

I don't think you are trying to set a cross domain cookie. A system wouldn't ask you for that. Usually in a situation like this you need to do some handshake with the 3rd party system to get a token or in your case a JSESSIONID first (from the system). However from the looks of things you are trying to set a cookie on the 3rd party system rather than accepting a cookie from the system. Does that make sense? So what I'd expect is that you need to make a request through to the 3rd party system to get hold of the token and then to pass that token back for every subsequent request when you are trying to grab the xml.

I think that in your scenario you have your web-app and the 3rd party app. What you might be confusing is cookies being set on your browser vs cookies being 'set' on your web-app (for authentication purposes).

When you have authenticated with the 3rd party system and you get a JSESSIONID back, try setting your subsequent request headers to contain a 'cookie' header containing the JSESSIONID or whatever it is that the 3rd party system needs for authentication.

Remember that in this case where you are calling the 3rd party as a service from your web-app, it's your web-app that is the 'browser' for that call to the 3rd party. So when it makes subsequent calls to the 3rd party system it has to mimick a browser by pretending that a cookie (containing your authentication sessionid) is there - you do this by setting the 'cookie' request header.

You can't. Browser makers have spend a lot of time & effort to ensure that what you're trying to accomplish can't happen, and even if you did find a temporary solution, it would be considered a security hole & probably patched in the next release.

Instead, try to figure out how to pass the information needed into the web service.