You cannot set or read cookies on CORS requests through JavaScript. Although CORS allows cross-origin requests, the cookies are still subject to the browser's same-origin policy, which means only pages from the same origin can read/write the cookie. withCredentialsonly means that any cookies set by the remote host are sent to that remote host. You will have to set the cookie from the remote server by using the Set-Cookieheader.

您无法通过 JavaScript 在 CORS 请求上设置或读取 cookie。尽管 CORS 允许跨域请求，但 cookie 仍受浏览器的同源策略约束，这意味着只有来自同一源的页面才能读取/写入 cookie。withCredentialsonly 意味着远程主机设置的任何 cookie 都会发送到该远程主机。您必须使用Set-Cookie标头从远程服务器设置 cookie 。

Please note this doesn't solve the cookie sharing process, as in general this is bad practice.

请注意，这并不能解决 cookie 共享过程，因为通常这是不好的做法。

You need to be using JSONP as your type:

您需要使用 JSONP 作为您的类型：

From $.ajax documentation: Cross-domain requests and dataType: "jsonp" requests do not support synchronous operation.

来自 $.ajax 文档：跨域请求和数据类型：“jsonp”请求不支持同步操作。

$.ajax(
    { 
      type: "POST",
      url: "http://example.com/api/getlist.json",
      dataType: 'jsonp',
      xhrFields: {
           withCredentials: true
      },
      crossDomain: true,
      beforeSend: function(xhr) {
            xhr.setRequestHeader("Cookie", "session=xxxyyyzzz");
      },
      success: function(){
           alert('success');
      },
      error: function (xhr) {
             alert(xhr.responseText);
      }
    }
);

I had this same problem. The session ID is sent in a cookie, but since the request is cross-domain, the browser's security settings will block the cookie from being sent.

我有同样的问题。会话 ID 在 cookie 中发送，但由于请求是跨域的，浏览器的安全设置将阻止发送 cookie。

Solution:Generate the session ID on the client (in the browser), use Javascript sessionStorage to store the session ID then send the session ID with each request to the server.

解决方案：在客户端（在浏览器中）生成会话 ID，使用 Javascript sessionStorage 存储会话 ID，然后将会话 ID 与每个请求一起发送到服务器。

I struggled a lot with this issue, and there weren't many good answers around. Here's an article detailing the solution: Javascript Cross-Domain Request With Session

我在这个问题上挣扎了很多，周围没有很多好的答案。这是一篇详细介绍解决方案的文章：Javascript Cross-Domain Request With Session

There have been a slew of recent changes in this arena, so I thought a fresh answer would be helpful.

这个领域最近发生了许多变化，所以我认为一个新的答案会有所帮助。

To have a cookie sent by the browser to another site during a request the following criteria must be met:

要在请求期间让浏览器将 cookie 发送到另一个站点，必须满足以下条件：

• The Set-Cookieheader from the target site must contain the SameSite=Noneand Securelabels.If Secureis not used the SameSiteheader will be ignored.
• The request must be made to a httpsendpoint, a requirement of the Secureflag.
• The XHRRequestmust be made with withCredentials=true. If using $.ajax()this is accomplished with the xhrFieldsparameter(requiring jQuery=1.5.1+)
• The server must respond with Access-Control-Allow-Originheader that matches the request Originheader. (*will not be respected in this case)

• Set-Cookie目标站点的标题必须包含SameSite=None和Secure标签。如果Secure未使用，SameSite标题将被忽略。
• 必须向https端点发出请求，这是Secure标志的要求。
• 在XHRRequest必须进行withCredentials=true。如果使用$.ajax()它是通过xhrFields参数完成的（需要jQuery=1.5.1+）
• 服务器必须使用Access-Control-Allow-Origin与请求Origin标头匹配的标头进行响应。（*在这种情况下不会受到尊重）

A lot of people find their way to this post trying to do local development against a remote endpoint, which is possible if the above criteria are met.

很多人找到了这篇文章的方法，试图针对远程端点进行本地开发，如果满足上述标准，这是可能的。