Symantec Access Management

There is one application  in which application deployed in http://abc.ravi.bt.com domain .

Siteminder is being used to establish SSO for the application.
After every 5mins when user access the application they get redirected to https://abc.xyz.com(is the cookie provider server) which is in a different domain. 
These cross domain http requests fails to reach the actual server and error out with the following exception in the browser ? ?XMLHttpRequest cannot load https://abc.xyz.com/SmMakeCookie.ccc?SMSESSION=?%2ecom%2fcqm%2fquotes%3fcustomerID%3d170953%26salesChannel%3dBT%2bAMERICAS. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://sap.ravi.bt.com' is therefore not allowed access.? As a result every http request, send in after every 5 mins ,from our client (browser) is failing and fetching no result.
Which is causing major problem in client side.  Application team tried adding following Header para to Request & Response Header in client & Http webserver config ? ?Access-Control-Allow-Origin: *?.
However it?s didn?t resolve the problem however  we tried setting response attribute header as ?Access-Control-Allow-Origin? name and value as * but didn?t work.

Ravi RaviSapare

Please remove the URLs and replace them with dummy URLs. Please remove all references which connect the URLs to a particular company. This is a public forum.

Regards

Hubert

Ravi RaviSapare

Based on your comments above it seems like the issue tends to transpire when SessionUpdatePeriod defined in Local WebAgent kicks in and issues a redirect Cookie Provider to update the Master Cookie.

There have been instances in the past wherein Applications are unable to handle 302 redirects as responses e.g.

• Browser sends a request to Application.
• Application handles the GET / POST request with DATA INPUTs in the request.
• When WebAgent is present, it intercepts the request before the Application receives the request.
• WebAgent does its own processing and issues a 302.
  • Sometimes there are race-conditions here i.e.
    • Application may forcefully override and ignore the 302.
    • WebAgent issues the 302. However when the 302 is returned back, Application is unable to handle it.

In your case it seems like a fundamental thing browser is blocking because your request is Cross Domain. This is my haunch after I read a few blogs online.

I would ideally start from scratch i.e. design and see what is necessary for such applications.

Cross-Origin XMLHttpRequest - Google Chrome

javascript - Cross origin requests are only supported for HTTP but it's not cross-domain - Stack Overflow

Regards

Hubert

This issue resolved by setting the following in the CookieProvider apache server.

Initially in the httpd.conf file we were having the below line

Header always set Access-Control-Allow-Origin "null"

We replaced the above line with the following:

<IfModule mod_headers.c>

SetEnvIfNoCase Origin "(^https?://(.+\.abc\.com)(:\d+)?$|^null$)" AccessControlAllowOrigin=$0

   Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

</IfModule>

In order to use this, you will need to have the following module enabled

LoadModule headers_module modules/mod_headers.so