the browser will still create cookies set by the server during a ajax request, jquery or otherwise.
Did you check the response to the ajax request and ensure cookies came back from the server to be set?
There could be a problem with the server code such that it is not even setting the cookie, etc. Check https://developer.mozilla.org/En/HTTP_access_control for examples. For me it seems like a bug in JQuery (or at least feature-to-be in next version).
The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding.
The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: * It was important that only one allowed "origin" was in the response header of the OPTIONS call and not "*".
I achieved this by reading the origin from the request and populating it back into the response - probably circumventing the original reason for the restriction, but in my use case the security is not paramount.
I thought it worth explicitly mentioning the requirement for only one origin, as the W3C standard does allow for a space separated list -but Chrome doesn't! There are already a lot of good responses to this question, but I thought it may be helpful to clarify the case where you would expect the session cookie to be sent because the cookie domain matches, but it is not getting sent because the AJAX request is being made to a different subdomain.
In this case, I have a cookie that is assigned to the *.domain, and I am wanting it to be included in an AJAX request to different.mydomain.com". You do not need to disable HTTPONLY on the session cookie to resolve this issue.
You only need to do what wombling suggested ( and do the following. I was having this same problem and doing some checks my script was just simply not getting the sessionid cookie.
I figured out by looking at the sessionid cookie value in the browser that my framework (Django) was passing the sessionid cookie with Http Only as default.
This meant that scripts did not have access to the sessionid value and therefore were not passing it along with requests.
Kind of ridiculous that Http Only would be the default value when so many things use Ajax which would require access restriction.
To fix this I changed a setting (SESSION_COOKIE_HTTPONLY=False) but in other cases it may be a "Http Only" flag on the cookie path Perhaps not 100% answering the question, but i stumbled onto this thread in the hope of solving a session problem when ajax-posting a fileupload from the assetmanager of the innovastudio editor.
Eventually the solution was simple: they have a flash-uploader.