Set-Cookie on Browser with Ajax Request via CORS

Your AJAX request must be made with the “withCredentials” settings set to true (only available in XmlHttpRequest2 and fetch):

    var req = new XMLHttpRequest();'GET', '', true); // force XMLHttpRequest2
    req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
    req.setRequestHeader('Accept', 'application/json');
    req.withCredentials = true; // pass along cookies
    req.onload = function()  {
        // store token and redirect
        let json;
        try {
            json = JSON.parse(req.responseText);
        } catch (error) {
            return reject(error);
    req.onerror = reject;

If you want a detailed explanation on CORS, API security, and cookies, the answer doesn’t fit in a StackOverflow comment. Check out this article I wrote on the subject:

Leave a Comment