Qlik Community

Ask a Question

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Qlik Highlights 2020 Giveaway! Watch, reply and have a chance to win a $200 Amazon Gift Card! Watch Video
Showing results for 
Search instead for 
Did you mean: 

Qlik, CORS, and Cookies

We're currently running into an issue using a JWT based virtual proxy with our application where the single page application is hosted on a different domain than qlik. The setup is as following

customer.applicationdomain.com hosts an ember based single page application that is embedding a qlik sheet into itself. We're using JWT based authentication to pass user credentials to qlik as this is an externally facing SaaS application. Qlik is hosted on

qliksubdomain.applicationdomain.com. The reason for this is because we do not wish to globally set the idle timeout for connections to our loadbalancer above 1 minute since other applications do not use web sockets and if there are issues with the connections properly closing it could serve to starve other applications. Using the second domain allows us to point this traffic to a second loadbalancer with a higher idle timeout however we are not able to get authentication to succeed afterwards.

Our authentication process is as follows.

Our main web application issues a cookie with a JWT that is RSA signed and is accessible by our single page application. These cookies are set for the domain customer.applicationdomain.com. This JWT is then placed into the authentication header of the request and the qlik session cookie is issued. When everything is on the same domain this works fine. When we try to use the two domains listed above we encounter the following problems.

1. Preflight on the first request, which is typically to systeminfo, will throw a 403. We are able to work around this by adding domains to the whitelisted host list.

2. The qlik session cookie is issued however it is sent with a blank value for all future requests. This seems to be due to the cookie attempting to be used cross origin when it is a session cookie with the secure flag set. We have tried setting the domain of the cookie to

customer.applicationdomain.com, qliksubdomain.applicationdomain.com, and .applicationsubdomain.com and none of these options result in success. We are setting the access-control-allow-origin header to customer.applicationdomain.com, so that our SPA javascript is allowed to make requests to the server.

I am wondering if anyone else has a setup where they use a single page application and are hosting it on https on one domain, with qlik on another domain?

5 Replies
Contributor II
Contributor II

Hello Kwescoe99,

Did you find any solution ? we are also facing the issue.


qliksubdomain.applicationdomain.com and customer.applicationdomain.com are basically under same domain ".applicationdomain.com", I have very similar requirement and using jwt auth, in your virtual proxy setting for jwt, make sure several things:

1. set session cookie domain - .applicationdomain.com

2. session cookie header: if you set if as X-Qlik-Session-jwt, and your prefix is "jwt", you need to use <qliksubdomain.applicationdomain.com/jwt/hub/> as your redirect url, note there is additional "/" at the end of url, I had 403 when call without it.

3. your domain has to be https, if one of your domains is http, CORS is likely coming out.

4. here is my setting in the "additional response headers":

  • Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: true
    Vary: Origin
Contributor II
Contributor II

Thanks for your reply, I raised a support ticket with Qlik and they gave one solution. I have uploaded that video https://www.youtube.com/watch?v=slM8ZOfjOBA . That solution resolved our issue.

Contributor II
Contributor II

This resolved the same issue for me too, except we only needed to add the request origin site to the virtualproxy whitelist.  The additional response headers were not necessary.


The response from <proxy>/hub returns a html after authentication. Is there any other endpoint that needs to be called with JWT token to authenticate.