I process the response from the server:

xmlhttp.onreadystatechange=function() { answer.innerHTML='<img src="loading.gif">'; // назначаем асинхронный обработчик события if (xmlhttp.readyState==4 && xmlhttp.status==200){ answer.innerHTML=xmlhttp.responseText; // присваиваем содержимое document.getElementById("device").innerHTML= "Cookie: "+xmlhttp.getResponseHeader("Set-Cookie"); } }

The server has the following headers:

 header('Access-Control-Allow-Origin: *'); session_start(); session_name('RED'); header('Set-Cookie: '.session_name().'='.session_id()); header('Access-Control-Allow-Headers: Set-Cookie'); header('Access-Control-Expose-Headers: Set-Cookie');

The answer is: Cookie: null .

Why does getResponseHeader() not return the Set-Cookie header, explicitly allow Access-Control-Expose-Headers: Set-Cookie and what else?

  • Use the "Fragment of the code" button only for the code that can actually be executed in the browser. For non-self-sufficient pieces of code and non-JS / HTML / CSS code pieces, use blocks of code formatted with indentation (Ctrl + K). - Athari

1 answer 1

The XHR specification explicitly prohibits the reading of a Set-Cookie header. Access to this header opens up too much room for vulnerabilities. Therefore, access is entirely and completely prohibited .

Cookies follow strict access rules and it is assumed that the Set-Cookie header is fully processed by the browser. After receiving such a header, you should read the updated document.cookie . If the cookie has not been updated, it means that it is not intended for you.

If you want to communicate with the server using cross-domain cookies, you can add your own header and process it as you like. Call it X-Redmal-Set-Cookie and use it without any restrictions.

See xmlHttp.getResponseHeader + Not working for CORS .