I'm developing a PhoneGap application that communicates with a secure .net server. The issue is, I can't seem to pass along any Cookies with any request (W3C).
This is what I am doing (assume that "username" and "password" work).
var token;
$.ajax({
url: "https://server.com/AuthService/api/account/login",
crossDomain: true,
type: 'post',
async: false,
data: {
username: "username",
password: "password"
}
}).done(function(response) {
token = response.securityToken;
success = true;
});
At this point I have an authentication token that I can use to validate all subsequent requests. So using that token I make another request to the server...
$.ajax({
url: "https://server.com/Service/api/search?query=" + query,
headers: { Cookie: 'auth=' + token },
crossDomain: true,
withCredentials: true,
type: 'POST',
async: false,
data: ' ' //because we don't want our request to be 0 bytes (the server is picky)
}).done(function(data) {
result = data;
});
Chrome just says: Refused to set unsafe header "Cookie" (which adheres to the W3C spec). The app doesn't set the header and as a result the request 401s because the authorization cookie is not sent.
My question is this: Is there any way to subvert this and override the Cookie header (or another way to go about it entirely) on PhoneGap? I know that using an Authorization header is also an option, but I have limited access to the server (which doesn't support it) and was hoping for a more immediate solution.
Bonus question: The call to the AuthService should also set an httpOnly cookie on the device, but does not (I speculate that this is because it is cross domain request)... Am I correct in this assumption, or could there be something wrong server side?
Thanks!
