Preventing Unwanted WooCommerce Sessions from Automatic OPTIONS Requests

[pooriaset]

Describe the bug

Hello,

I encountered an issue while developing my latest project. The frontend is hosted at example.com, while the backend is at api.example.com. Due to the different domains, the browser automatically sends an OPTIONS request for CORS.

Since this is done automatically by the browser, we are unable to set the woocommerce-session header. As a result, a new session is created in the wp_woocommerce_sessions table for each OPTIONS request.

To prevent this issue, I believe it would be better to check if the request method is not OPTIONS before creating a session.

The image below illustrates the unnecessary tokens that are being created.

To Reproduce

Simply call services from a localhost to any backend multiple times. Even though we set the woocommerce-session header, there is nothing we can do for the OPTIONS requests.

If you agree, I can implement the necessary changes myself and submit a pull request.

Thank you!

[kidunot89]

@pooriaset What are you using to send you're GraphQL request? Apollo, React Query, fetch?

[pooriaset]

I’m using Apollo, but Apollo does not have this behavior. The browser sent OPTIONS requests.

[kidunot89]

@pooriaset That is known as the pre-flight check, and it looks like you have your session tokens configured incorrectly. Have you read the docs here

[IDJGILL]

@kidunot89 I am facing the same issue, It does not matter if I query for products or something else, A new session is created and sent with every single response. May be I am missing something there but I think the way it should work is by only getting the session token if we do cart or order related queries / mutations.

[IDJGILL]

@pooriaset Have you found any solution to this issue yet?

[pooriaset]

@IDJGILL

This issue occurs when you send requests from a domain like example.com to api.example.com.

The browser automatically sends OPTIONS requests to check for CORS (Cross-Origin Resource Sharing).

I have temporarily resolved this issue in this way. Please check the link below for more details:
#913

[IDJGILL]

@pooriaset

Thanks for your help man, I checked your pull request but I am little confused how do I Implement this safely.

(NOT A PHP GUY 😅).

[kidunot89]

@IDJGILL If a new session is being created on every GraphQL request, it's due to you not providing a woocommerce session token or the your configuring it incorrectly. Read the docs here or if you're not using Apollo, try the 4th part of this tutorial series

[IDJGILL]

@IDJGILL If a new session is being created on every GraphQL request, it's due to you not providing a woocommerce session token or the your configuring it incorrectly. Read the docs here or if you're not using Apollo, try the 4th part of this tutorial series

I am using Next.js and need to fetch a product by slug to create a dynamic route.

It is impossible to pass a session token in generateStaticParams. Even if I choose not to prerender pages at build time and instead rely on runtime prerendering (SSG), I have no option but to access the session token from cookies.

However, if I do that, Next.js will no longer prerender on request and will instead trigger a refetch for every request (SSR).

If I understand your implementation correctly, it seems more like a client-side approach, which does not align with Next.js's prerendering system.

I would love to deep dive into this to explore potential solutions.

[kidunot89]

@IDJGILL Why would you need a session token to query a product? You should not be passing the session token as a static param either. Session token usage is usual through client-side action and working with dynamic data like cart data which you can't statically generate. The point I'm trying to make it is, chances are you would need the session token for page generation and if you need it on the server store it in a cookie.