在AngularJS，我有我的一个子REST的API，但我有其中的Cookie /会话不被跨域共享的问题。对于角我这样做：

In AngularJS, I have my Restful API in a subdomain but I am having the problem where the cookie/session is not being shared across domains. For Angular I am doing this:

app.config(['$httpProvider',
function($httpProvider) {
    $httpProvider.defaults.useXDomain = true;
    $httpProvider.defaults.withCredentials = true;
    delete $httpProvider.defaults.headers.common['X-Requested-With'];
}]);

此外，当我正在用$请求HTTP我做

Also when I am making a request with $http I am doing

var object = {};

object.url = '/example'
object.withCredentials = true;

$http(object).success(object.success).error(object.error);

和在我的服务器端我有：

And On my server side I have:

if($_SERVER['REQUEST_METHOD']=='OPTIONS') {
    if(isset($_SERVER['HTTP_X_FOWARDED_HOST']) && !empty($_SERVER['HTTP_X_FOWARDED_HOST'])) {
        $origin=$_SERVER['HTTP_X_FOWARDED_HOST'];
    } else {
        $origin=$_SERVER['HTTP_ORIGIN'];
    }
    if(isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && ($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='POST' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='DELETE' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='PUT')) {
        header('Access-Control-Allow-Origin: '.$origin);
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Allow-Headers:  *,X-Requested-With,Content-Type');
        //header('Access-Control-Allow-Headers: Content-Type');
        header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT');
        // http://stackoverflow.com/a/7605119/578667
        header('Access-Control-Max-Age: 86400');
    }

}

现在我看到服务器是说，它将使凭据，但其不被发送的选项请求。下面的截图。

Now I see that the server is saying that it will allow credentials but its not being sent in the options request. Screenshot below.

我究竟做错了什么？

What am I doing wrong?

推荐答案

在默认情况下凭据不是在CORS pre-飞行OPTIONS请求发送。 看到这里。另请参阅本回答。该证书将在您的实际要求发送。

By default credentials are NOT sent in a CORS pre-flight OPTIONS request. See here. See also this answer. The credentials will be sent on your actual request.

此外，useXDomain和X-请求，随着标头不实际使用的角度当前版本，因此那些行无所事事在$ httpProvider配置。所有CORS的交互是通过浏览器本身和你的服务器处理。

Also, useXDomain and X-Request-With headers are not actually used in current versions of angular, so those lines are doing nothing in your $httpProvider config. All CORS interaction is handled by the browser itself and your server.

在一般要正确实现CORS您的服务器不应该要求在preflight请求凭据。 （请注意，一些浏览器给他们，无论如何，但不应该。）这是因为OPTIONS请求被认为是安全和永远不应该包含任何机密信息。

In general to properly implement CORS your server should not require credentials on the preflight request. (Please note that some browsers send them anyway, but shouldn't.) This is because an OPTIONS request is considered "safe" and should never contain any confidential information.

这可能是你的问题是你想跨域共享的cookie。什么饼干是你想送哪里？

It may be your problem is in the cookies you're trying to share across domains. What cookies are you trying to send where?