Set-Cookie in HTTP header is ignored with AngularJS

Solution 1:

I found an issue in AngularJS that help me to move forward.

It seems that "Access-Control-Allow-Credentials" : true was not set on the client side. Instruction $httpProvider.defaults.withCredentials = true was ignored.

I replace $resource call by a simple $http call with {withCredentials:true} in the config parameter.

Solution 2:

I've managed to solve an issue very similar to yours. My Play! backend tried to set a session Cookie which I could not catch in Angular or store via browser.

Actually the solution involved a bit of this and a bit of that.

Assuming you've solved the initial issue, which can be solved only by adding a specific domain to the Access-Control-Allow-Origin and removing the wildcard, the next steps are:

1. You have to remove the HTTP-Only from the Set-Cookie header, otherwise you will never be able to receive a cookie "generated" by your angular code
   This setup will already work in Firefox, though not in Chrome

2. To make it work for Chrome too, you need to:

   a) send a different domain from localhost in the cookie, using the domain your WS are "hosted". You can even use wildcards like .domain.com instead of ws.domain.com

   b) then you'll need to make a call to the domain you specified in the cookie, otherwise Chrome won't store your cookie

   [optional] I would remove that /api path in favor of a /

And that should to the trick.
Hope to have been of some help