I have a rails app that has 2 subdomains: API (CORS) => api.myapp.dev Web

Question

0

Editorial Team

Asked: June 9, 20262026-06-09T19:39:57+00:00 2026-06-09T19:39:57+00:00

I have a rails app that has 2 subdomains: API (CORS) => api.myapp.dev Web

0

I have a rails app that has 2 subdomains:

API (CORS) => api.myapp.dev
Web App => myapp.dev

I can only access my API via auth_token which is returned right after user’s authentication using Devise. However, my client (web app) is not setting these cookies. Am I missing something?

class Api::V1::SessionsController < Api::V1::BaseController

  def create
    @user = User.find_for_database_authentication(:email => params[:user][:email])

    if @user and @user.valid_password?(params[:user][:password])
      sign_in @user # Set-Cookie header response with the session
      render "api/v1/users/preview", :handlers => :rabl # return auth_token here
    else
      flash[:error] = I18n.t('devise.failure.invalid')
      render "api/v1/base/error", :handlers => :rabl, :status => :unprocessable_entity 
    end
  end
end

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-09T19:39:59+00:00

Editorial Team

2026-06-09T19:39:59+00:00Added an answer on June 9, 2026 at 7:39 pm

For security reasons you can’t set cookies from cross-domain websites. However, jQuery.ajax let’s you do this by explicitly setting the following options:

$.ajax
  type: "POST"
  url: "api.mydomain.com/login"
  xhrFields:
    withCredentials: true

Also, make sure to return headers['Access-Control-Allow-Credentials'] = "true" from your HTTP response.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a rails app that has 2 subdomains: API (CORS) => api.myapp.dev Web

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply