Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to request anonymously via Axios? #2455

Closed
geongeorge opened this issue Oct 10, 2019 · 21 comments
Closed

How to request anonymously via Axios? #2455

geongeorge opened this issue Oct 10, 2019 · 21 comments

Comments

@geongeorge
Copy link

I want to send a GET request to a url via axios.

It seems the website can recognize me via cookies and is redirecting the url to a page where logged in users are moved to.

I want to send a request as if I were doing it from an incognito tab

I have tried using withCredentials: false config.

This does not seem to have any effect with true or false in my case.

 axios({
        url : url,
        method: 'get',
        maxRedirects: 15,
        headers: {
          'Content-Type': 'text/html',
          'Access-Control-Allow-Origin': '*',
          'Access-Control-Allow-Methods':'GET',
        },
        withCredentials: false, // without cookies so no login
      })
      .then((res) => {
         console.log("Response", res.data)
      })
      .catch((err) => {
         console.log("Error with fetch: ", err)
      })
    });
  • Axios version: 0.19.0
  • Environment: Browser
@geongeorge
Copy link
Author

I just tried to do the same with fetch and
I got the perfect output without previous cookies or login

fetch(url, { 
        credentials: 'omit',
      }).then((response)=>{
        return response.text();
      }).then((data)=>{
        console.log(data);
      }).catch(err=>{
        console.log(err);
      })

is credentials: 'omit', same as withCredentials: false in axios?
if not how can I achieve the same?

@Alanscut
Copy link
Collaborator

Alanscut commented Nov 7, 2019

hi @geongeorge , the credentials: 'omit is same as withCredentials: false indeed. And I have tested your case in my server, when I set withCredentials to false or omit it, the cross-domain request does not carry the cookie. And if I set withCredentials to true, then the server will get the cookie. Could you provide more infomation?

BTW, when I set the headers same as you in front-end, the program will report an error:

Access to XMLHttpRequest at 'http://localhost:3002/api/addWithCredentials' from origin 'http://localhost:3001' has been blocked by CORS policy

so I remove it and set the headers in backend like this:

"Access-Control-Allow-Origin": "http://localhost:3001",
"Access-Control-Allow-Credentials": true,
"Access-Control-Allow-Methods": "GET",
"Access-Control-Allow-Headers": "Content-Type"

@geongeorge
Copy link
Author

Forget the headers part. withCredentials was not working for me.
I tried several times and the page data returned seems to be as if I had logged into the website. I guess the cookies were passed.

Fetch seemed to work out of the box with credentials: 'omit' property

@Alanscut
Copy link
Collaborator

@geongeorge Are you using axios with React, #1852 may solve your problem.

@geongeorge
Copy link
Author

@geongeorge Are you using axios with React, #1852 may solve your problem.

I was using this with nuxt js (vue)

@Doogiemuc
Copy link

Had the same problem and found out something new:
Axios seems to always add the "Cookie" header when the request goes to the same origin. But it does not automatically add the "Cookie" header when you do a valid CORS request.

Which is strange. And yes the withCredentials configuration variable doesn't seem to have any effect on this at all.

@maciej-trebacz
Copy link

Bumping this, since I'm observing the same problem @Doogiemuc mentioned - same origin requests ignore withCredentials flag. When I used plain fetch(url, {credentials: 'omit'}) it correctly sent a request without cookies.

@rdebeasi
Copy link

rdebeasi commented Jul 28, 2020

It sounds like this problem may be a limitation of the XMLHttpRequest.withCredentials property.

The Axios readme implies that this feature only works cross-site:

// `withCredentials` indicates whether or not cross-site Access-Control requests
// should be made using credentials
withCredentials: false, // default

Would it be worth updating the docs to make this limitation clearer and/or throwing a warning when this feature is used outside of a cross-site request?

(Also, thanks to @hetzbr for the heads-up on this issue! 😄 )

@juliofalbo
Copy link

Any news about it? Having the same issue.

@ghost
Copy link

ghost commented Jan 30, 2021

Any solution? experiencing the same issue under a nuxt project

@Gacmat
Copy link

Gacmat commented Feb 24, 2021

Still nothing? :c
I have the same issue. When my ReactApp tries to axios.post(url, data, { withCredentials:true}) my Express.js backend won't send Cookie with Token back to Client.
Funny thing is that CORS and everything is working good, and token is generated and I have it in response, but i really want a cookie :c

@akvashi24
Copy link

akvashi24 commented Apr 9, 2021

This seems to be working as expected for me.

const api = Axios.create()

api.defaults.xsrfCookieName =
  process.env.VUE_APP_CSRF_COOKIE_NAME || 'csrftoken'
api.defaults.xsrfHeaderName = 'X-CSRFToken'
api.defaults.withCredentials = true // most requests need auth

api.get(url, { withCredentials: false }) // no CORS issues for URL with wildcard

axios version: 0.21.1

@mamsoudi
Copy link

mamsoudi commented Jun 20, 2021

Any updates on the issue, we're in the same situation, and fetch works perfectly with credentials: 'omit'. Our situation is that we have two applications under the same origin; One uses JWT and the other authenticates using Cookies, and we don't want to include Cookies in the one with JWT but it just simply doesn't work.

This gets more problematic since Axios automatically includes Cookies, if we wanted to use Axios for things like Upload requests and showing progress which currently fetch doesn't support, we're completely out of options. This basically renders the entire token authentication obsolete in our other app.

I understand that this is a limitation of XHR but does this mean that I'm completely stuck with fetch?

@eduardotrzan
Copy link

I'm having the same issue. I find this odd that a specification is made into mandatory.
I do understand the fact we try to follow the general definitions, but it makes things harder if we need to adapt or even fast prototype.
For instance, I'm trying to fix the cookies config on my BE, but because of the limitation I had to remove the cookie save, while I understand how to fix the real cause.

@creinelt
Copy link

It doesn't work for me either with the current version (0.27.2).
I don't want any cookies to be sent, but that doesn't seem to be possible at all.

@Arandolph543
Copy link

Arandolph543 commented Jul 10, 2022

Axios is tricky but I have solved this problem in the large code bases. There is a best way that solves it but needs then a network protocols security system usually for the application AJAX to avoid DoD problems but if you are familiar with SOAP or REST API's it's like these. What you do is write a service call to customers created index in the DOM it will see it as a null cookie. This is then sessioned in to the Axios API call in pattern is decorated (I've also had an engineer propagate this although not safe for end to end testing trying to reference MVC which takes really steep math proofs to get truthful in making that simplified into that pattern form.) It's a matter of getting a simple model around to view both your active object while maintaining a connection to the network session, foreboding http protocol standards and setting the flags also will work but the relationships to provocation of issues in your network exponentially increases. If you share your implementation I'd be happy to answer questions but it will not be a testable implementation hence it's hacker ugly yet to find anything but I have custom scripts that made it work not ever keeping it for application in any code base.

@rin4ik
Copy link

rin4ik commented Sep 20, 2022

@geongeorge @creinelt @eduardotrzan @mamsoudi @maciej-trebacz guys did you find any solution to this problem ????

Experiencing the same problem and cant fix it for long time 😔
withCredentials: false doesn't help on the same domain

@geongeorge
Copy link
Author

geongeorge commented Sep 20, 2022

@geongeorge @creinelt @eduardotrzan @mamsoudi @maciej-trebacz guys did you find any solution to this problem ????

Experiencing the same problem and cant fix it for long time 😔
withCredentials: false doesn't help on the same domain

I think I used fetch instead of axios at the time to solve this.

You should ask to reopen this issue or open a new one. I remember I tried a lot at the time as well. But this is an old issue. If Axios updates have not fixed it you should definitely get this re-opened

@henricook
Copy link

Surely this should be reopened @geongeorge - I'm having the same problem at the moment and I'd rather not replace all my axios usage with fetch! :-D

@kyranjamie
Copy link

Noticing same problem. No way to remove cookies in a request. You can't delete cookies, override header, to withCredentials:false.

@rafaelgramoschi
Copy link

I want to remove Cookie header using axios for a front-end served on same IP:PORT as back-end, is there no way??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests