How to pass the authentication cookie from the server is written in Golang in ReactJS app if between CORS?

There is a problem. There is a server application written in Go that performs the API functions. And there are a ReactJS app. They are located at different addresses, respectively, they have CORS. Well, so be it, allowed such a relationship between them, but it is assumed that Go is sends the browser a cookie and then uses this state for further action. And the cookie passed to the browser, if we just pull the appropriate request through the browser. But from the app to React the same query does not lead to this result. Response received, but no cookie. All because of CORS.

Here's what to do - I don't know. Can I go in the wrong direction? Maybe you need to generate the cookie in the app React based on any data received from the server? Maybe you need to use a JWT? Give me a hint.
June 14th 19 at 20:35
4 answers
June 14th 19 at 20:37
in order to get the browser to store cookies sent to us server. You need to give 4 header
  • enable cors
    "Access-Control-Allow-Headers: Content-Type"

  • showing the client that these requests use cors
    "Access-Control-Allow-Methods: POST, OPTIONS"
    place POST, OPTIONS can stand any exotics that you send
  • allow the browser to save from this server cookies
    Access-Control-Allow-Credentials: true

  • well, the browser to store the cookie for your domain SPA-app don't forget
    Access-Control-Allow-Origin: http://localhost:3000
    where http://localhost:3000 address of your SPA-application
  • in Supplement, do not forget to respond to the OPTIONS request
    HTTP/1.1 200 OK
    if you are using the rest-api, usually it's the library

to send cookies in your requests, you should note
withCredentials: true

in Jquery the $.ajax, added option
xhrFields: { withCredentials: true },
June 14th 19 at 20:39
Google same.
  1. (the 1st option as default, the 2nd option should be checked)
  3. (Cookies can be read in an iframe if they were set outside of the iframe? identity need a reality check and in all browsers)
June 14th 19 at 20:41
Wrap the API in React-app - mount the same servo (so that the domain address was one) and all.
If you tell me how to do it, it would solve all my problems)) - Moriah46 commented on June 14th 19 at 20:44
, if mod_rewrite is Apache... - Kyleigh_Hills commented on June 14th 19 at 20:47
June 14th 19 at 20:43
I just to develop to cut off the security in the browser, I don't know if it will start with your backend but should)
$ open -a Google\ Chrome --args --disable-web-security --user-data-dir

the idea is to help
Unfortunately, the solution is not universal, because, in most browsers, security is enabled. - Moriah46 commented on June 14th 19 at 20:46
is for development and production is decided by server settings - Kyleigh_Hills commented on June 14th 19 at 20:49

Find more questions by tags GoHTTP CookiesReact