MarkLogic app server custom login page does not receive SessionID cookie from ajax GET request

Question

I am working on a custom login page for a MarkLogic9 application. I have an http app server (server side javascript) on localhost:8601. The login.sjs page is simple:

xdmp.addResponseHeader('Access-Control-Allow-Origin', '*');
xdmp.addResponseHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
xdmp.addResponseHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type');
xdmp.addResponseHeader('Access-Control-Allow-Credentials', "true");

xdmp.setResponseContentType("text/plain");

//generate object with field names from Request params
var params ={}; //JSON parsed URL parameters
var field_names = xdmp.getRequestFieldNames().toArray();
for(var fname_idx in field_names){
  params[field_names[fname_idx]] = String(xdmp.quote(xdmp.getRequestField(String(field_names[fname_idx]))));
}
//get username and password from passed paramters
var username = params.username;
var password = params.password;
xdmp.login(username,password);

When I access this page directly (i.e. typing in localhost:8601/login.sjs?username=test&password=test), it logs in successfully and responds with these headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:X-Requested-With,content-type
Access-Control-Allow-Methods:GET, POST, OPTIONS, PUT, PATCH, DELETE
Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Length:4
Content-type:text/plain; charset=UTF-8
Keep-Alive:timeout=5
Server:MarkLogic
Set-Cookie:SessionID=917f127921feb6ef; path=/

The problem occurs when I try to access the page from my client-side login.html page, which sends the following ajax request"

$("#login-button").click(function(event){
    var un = $("#username").val();
    var pw = $("#password").val();
    if(un){
        params.username = $("#username").val();
    }
    if(pw){
        params.password = $("#password").val();
    }
    event.preventDefault(); //prevent form from clearing
    console.log("input entered");
    $.ajax({
        type: "POST",
        url: url,
        data: params,
        success: function(data){
            alert("login worked");
            if(data == "true"){
                console.log("worked");
                checkUsername();
                //window.location.href = "homepage.html";
            } else{
                alert("login failed");
                invalidLogin();
            }
        },
        error: function(data){
            invalidLogin();
        }
    }); 
});

This will successfully log in as well but the headers returned from the server do not include the SessionID cookie:

Content-Length:3022
Content-type:text/html
Date:Mon, 12 Jun 2017 08:03:36 GMT
Last-Modified:Mon, 12 Jun 2017 07:03:45 GMT
Server:SimpleHTTP/0.6 Python/2.7.13

My question: Why is my login.html ajax request page not receiving the cookie response header from the server and/or how do I fix it?

My setup:

• Marklogic 9
• HTTP app server on port 8601
• python simpleserver on port 8010 (all localhost)
• I have tried with multiple users (including admin) so I don't believe that it is a priveleges issue.

Thanks in advance.

Answer 1

Possible duplicate, I found the answer in another post. Get and store cookie (from Set-Cookie) from an AJAX POST response.

I just had to include the following line in my ajax request:

xhrFields: { withCredentials: true },

Since this will throw an error if you have a wildcard in you Access-Control-Allow-Origin header, I also had to change this line:

xdmp.addResponseHeader('Access-Control-Allow-Origin', '*');

to this:

xdmp.addResponseHeader('Access-Control-Allow-Origin', 'http://localhost:8010');

And now my browser collects cookies.