CORS, Cookies, Unity and WebGL Builds
In a previous blog post I discussed how to get basic cross-origin requests working for your Unity WebGL project. This post is meant as a quick follow-up to cover another tricky problem that may come up when attempting to host your Unity WebGL game on Kongregate: cookie-based session authentication. The Problem Let's say you have a backend API that uses cookies for session management. Your game works great when testing on your own domain, but breaks horribly once you host the files on Kongregate due to the fact that your API requests are now cross-domain and subject to strict CORS rules. This means that the browser will refuse to send cookies along with requests unless things are set up properly on both the client and the server. Keep in mind that this behavior is a good thing, as it means that it allows you to control what domains your session cookies will be sent to, which helps prevent this highly sensitive data from falling into the hands of malicious actors. Configuring the Server In order for the browser to allow