In answer to your second question (If a CORS enabled server sets a session_token through a cookie…?), the cookie is saved under the domain of the CORS server. The main web page’s JS code can’t access the cookie, even via document.cookie. The cookie is only sent to the server when the .withCredentials property is set, and even then, it is only accepted when the server sets the Access-Control-Allow-Credentials header.
Your first question is a little more open ended. It is fairly secure, but there are ways to circumvent things. For example, an attacker could use a DNS poisoning technique to cause a preflight request to hit the actual server, but send the actual CORS request to the rogue server. Here are some more resources on CORS security:
- http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
- owasp.org CORS CheatSheet
Lastly, your concern is around giving any website access to your CORS data. In order to protect against this, you should not use the Access-Control-Allow-Origin: * header. Instead, you should echo back the user’s Origin value. For example:
Access-Control-Allow-Origin: http://www.example.com
This header will allow only http://www.example.com to access the response data.