I have a single page application (SPA) on a domain a.domain.com (http) that connect to an api on b.otherdomain.com (https) build in Play 2 (scala).
After the loading of the SPA, the user enter is credentials and the app make an ajax call to https://b.otherdomain.com.com/login.
The /login set the Play cookie and the following request are well authenticated. Everything works on Chrome and Firefox (not IE because of CORS restrictions).
It should work on Safari but after the /login call, the cookie is not sent back with the following requests, so play returns "401 not authorized" responses.
Is this a bug or a misconfiguration on my server side ? Do I have to change application.session.httpOnly and application.session.secure ?
Here is what I see from the Safari inspector :
/login headers :
URL de la requête:https://b.otherdomain.com//login
Méthode de la requête:POST
Code d’état:200 OK
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */*
Content-Type:application/x-www-form-urlencoded
Origin:http://a.domain.com.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Données du formulaireafficher l’URL codée
email:[email protected]
password: foofoo
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:31
Content-Type:text/plain; charset=utf-8
Set-Cookie:PLAY_SESSION=a71f93e3315fa9164dd7112841ccdb4a0f0c447b- sessionId%3A6gtu7%21z.5i%218d%29v8yxy693n-s6zsuejpav_p67f9hb%7Ej%274h2de*jx3g35p%7Egzo0u;Path=/;HTTPOnly
Strict-Transport-Security:max-age=31536000
following request :
URL de la requête:https://b.otherdomain.com/users
Méthode de la requête:GET
Code d’état:401 Unauthorized
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */*
Origin:http://a.domain.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:24
Content-Type:text/plain; charset=utf-8
Strict-Transport-Security:max-age=31536000