Not a bug Cookies not transmitted from subdomains

[Lukas W.]

Affected version

2.0.9

Having some trouble with XenForo not transmitting cookies when not calling to the own domain. I'm running XenForo on example.com and the external instance on blog.example.com. When doing an Ajax call from that external instance, cookies are by default not being transmitted with the request, although it originates from the same domain, and just a different subdomain.

I've counteracted this behaviour by using the following code, but as it might break depending on the target server not allowing it, we need a less hacky and more native solution to get this running in general and not having to build it in on a case by case basis.

<xf:js>
    $.ajaxPrefilter( function( options, originalOptions, jqXHR ) {
        options.xhrFields = {
            withCredentials: true
        };
    });
</xf:js>

 

[Chris D]

I'd have thought that you'd need to set a cookie domain in the WordPress config:

define( 'COOKIE_DOMAIN', '.example.com' );

And a cookie domain in the XenForo config:

$config['cookie']['domain'] = '.example.com';

Something like that should work.

 

[Lukas W.]

Unfortunately that doesn't work. The cookies are available on the WordPress site when I set the domain right in the XF config, but changing the WordPress cookie domain doesn't change anything, they're still not transmitted with the request and I continue to receive a Cookies are required to use this site. You must accept them to continue using the site. error when doing an Ajax request to XenForo without my workaround.

 

[Mike]

My understanding is really that this is how CORS works. It applies to sub-domain requests as well. By default, the cookies won't be sent; XF simply uses the browser's own behavior for this.

That's where the withCredentials part comes in and the other elements of CORS. I believe you would need to do some site-specific configuration if you are going to take this approach.