{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 一夜七次 的问题《Set-Cookie response header not working using Angul》','https://www.manongdao.com/q-1125982.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am developing an Angular 2 app that is using django-rest-framework a backend. I am doing my tests using a development server (ng serve from angular-cli) and another one for django (default from manage.py). Both server are accessible from 127.0.0.1 but on different ports.
My authentication system is based on cookie served by django-rest-framework. Everything works fine when using the views from django-rest-framework.
When I try to login from angular 2, I receive a valid response with a Set-Cookie Header. The problem is that the cookie is never set in the browser (tested in chrome and firefox).
Is this a CORS problem? I have corsheader app installed with the following parameters
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
As I understand the django-cors (and basically cors in general) you can not set allow all and allow credentials at the same time, this is from cors middleware:
So basically you need to have origin properly set - as you with both Trues goes to the else block;
You can read more about it, here: MDN CORS, especially this fragment:
"Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *. Since the Access-Control-Allow-Origin explicitly mentions http://foo.example, the credential-cognizant content is returned to the invoking web content. Note that in line 22, a further cookie is set. In case of failure, an exception, depending on the API used, is raised."