diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
index 5c9bfa684..e5de40138 100644
--- a/starlette/middleware/cors.py
+++ b/starlette/middleware/cors.py
@@ -69,6 +69,7 @@ def __init__(
         self.allow_origin_regex = compiled_allow_origin_regex
         self.simple_headers = simple_headers
         self.preflight_headers = preflight_headers
+        self.allow_credentials = allow_credentials
 
     async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
         if scope["type"] != "http":  # pragma: no cover
@@ -160,7 +161,7 @@ async def send(
 
         # If request includes any cookie headers, then we must respond
         # with the specific origin instead of '*'.
-        if self.allow_all_origins and has_cookie:
+        if self.allow_all_origins and (has_cookie or self.allow_credentials):
             self.allow_explicit_origin(headers, origin)
 
         # If we only allow specific origins, then we have to mirror back