HTTP Cross Origin and Access Control Permitting user credentials or session


Example

Allowing user credentials or the user's session to be sent with a CORS request allows the server to persist user data across CORS requests. This is useful if the server needs to check if the user is logged in before providing data (for example, only performing an action if a user is logged in - this would require the CORS request to be sent with credentials).

This can be achieved server-side for preflighted requests, by sending the Access-Control-Allow-Credentials header in response to the OPTIONS preflight request. Take the following case of a CORS request to DELETE a resource:

OPTIONS /cors HTTP/1.1
Host: example.com
Origin: example.org
Access-Control-Request-Method: DELETE
HTTP/1.1 200 OK
Access-Control-Allow-Origin: example.org
Access-Control-Allow-Methods: DELETE
Access-Control-Allow-Credentials: true

The Access-Control-Allow-Credentials: true line indicates that the following DELETE CORS request may be sent with user credentials.