Allowing user credentials or the user's session to be sent with a CORS request allows the server to persist user data across CORS requests. This is useful if the server needs to check if the user is logged in before providing data (for example, only performing an action if a user is logged in - this would require the CORS request to be sent with credentials).
This can be achieved server-side for preflighted requests, by sending the
Access-Control-Allow-Credentials header in response to the
OPTIONS preflight request. Take the following case of a CORS request to
DELETE a resource:
OPTIONS /cors HTTP/1.1 Host: example.com Origin: example.org Access-Control-Request-Method: DELETE
HTTP/1.1 200 OK Access-Control-Allow-Origin: example.org Access-Control-Allow-Methods: DELETE Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true line indicates that the following
DELETE CORS request may be sent with user credentials.