javascript 浏览器在使用 CORS XHR 时不发回 cookie
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11601149/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Browsers not sending back cookies when using CORS XHR
提问by AriehGlazer
edit - looking at the cookies using Chrome web inspector, it seems like no matter what the expire value of the cookie is, the browser sets it as a session cookie and deletes it per request.
编辑 - 使用 Chrome 网络检查器查看 cookie,似乎无论 cookie 的过期值是多少,浏览器都会将其设置为会话 cookie 并根据请求将其删除。
I am building a CORS example for a class I'm teaching, using Node.js and Express.
我正在为我正在教授的课程构建一个 CORS 示例,使用 Node.js 和 Express。
However, although cookies are being set from the server, they are not being sent back to the server on following requests. This pretty much means I can't use any trivial session manager.
然而,尽管 cookie 是从服务器设置的,但它们不会在以下请求中被发送回服务器。这几乎意味着我不能使用任何简单的会话管理器。
Any idea what I'm missing here? Why doesn't the browser send cookies set by a domain back to that domain? Shouldn't this be happening automatically?
知道我在这里缺少什么吗?为什么浏览器不将域设置的 cookie 发送回该域?这不应该自动发生吗?
edit - some code examples: setting up the XHR request:
编辑 - 一些代码示例:设置 XHR 请求:
var xhr = new XMLHttpRequest();
xhr.open(method, url, true);
xhr.widthCredentials = true;
xhr.onreadystatechange = function(res){
if (xhr.readyState == 4){
cb(res,xhr);
}
};
xhr.setRequestHeader("Content-Type",'application/json');
xhr.setRequestHeader('Accept','application/json');
xhr.send(JSON.encode({param:some_param}));
server:
服务器:
function allowCrossDomain(req,res,next) {
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type,Accept,X-Requested-With');
if (req.method!='OPTIONS') return next();
res.send(204);
}
//while configuring express
app.use(allowCrossDomain)
It is also worth mentioning that I have tried various npmmiddlewares that do the same thing with no observable difference
还值得一提的是,我尝试了各种npm中间件,它们做同样的事情,没有明显的区别
As for scenario:
至于场景:
- Make a CORS request using XHR
- Server sets a cookie, that is being successfuly sent back to the client (express session cookie)
- The next XHR request will not send that cookie back to the server, so express cannot identify the user, and so creates a new session cookie and so forth.
- 使用 XHR 发出 CORS 请求
- 服务器设置一个 cookie,即成功发送回客户端(快速会话 cookie)
- 下一个 XHR 请求不会将该 cookie 发送回服务器,因此 express 无法识别用户,因此创建一个新的会话 cookie 等等。
回答by Pointy
I don't really know anything about this other than what I've read, but according to the MDN docsthere's a "withCredentials" property on the XHR object, and that needs to be set:
除了我读过的内容之外,我对此一无所知,但根据MDN 文档,XHR 对象上有一个“withCredentials”属性,需要设置:
xhr.withCredentials = true;
By default, it's false. Without that flag being set, cookies are not transmitted and cookie headers in the response are ignored.
默认情况下,它是false. 如果未设置该标志,则不会传输 cookie,并且响应中的 cookie 标头将被忽略。
edit— I swear I read your question a couple times, but I totally missed your mention of the flag . Sorry. However, so as this isn't a total waste, I'll also mention that your server needs to be setting the "Access-Control-Allow-Credentials" flag to truein the response header, and "Access-Control-Allow-Origin" set to your current protocol + host + port.
编辑- 我发誓我读过你的问题几次,但我完全没有提到你提到的标志。对不起。但是,由于这并不是完全浪费,我还要提到您的服务器需要true在响应标头中设置“Access-Control-Allow-Credentials”标志,以及“Access-Control-Allow-Origin " 设置为您当前的协议 + 主机 + 端口。
回答by Florian Margaine
This happened to mebefore, and I can tell it's pretty stupid.
If you're using a virtual machine, you usually suspend it/resume it whenever you need it etc.
如果您使用的是虚拟机,您通常会在需要时暂停/恢复它等。
This means that the date of the virtual machine is usually some days late (or more) compared to the host, or any client you're using.
这意味着虚拟机的日期通常比主机或您使用的任何客户端晚几天(或更多)。
So when the server sets the cookie expire's date (usually a couple hours after current date), it is already expired on the client. Thus, the client doesn't keep it.
因此,当服务器设置 cookie 的过期日期(通常在当前日期之后几个小时)时,它在客户端已经过期。因此,客户端不会保留它。
To update your date on your virtual machine, I suggest you just use ntpdate, or you can manually set the date to see if that's the problem:
要在虚拟机上更新日期,我建议您只使用ntpdate,或者您可以手动设置日期以查看是否有问题:
# what's the date?
date
# You'll see if it's the problem already
# If it is, here is how to manually set it
date -set 2012-07-22 # yyyy-mm-dd
date -set 17:00:42 # hh:mm:ss
回答by H. J. Rhenals
I just had this problem, the solution in my case was add the path to the cookie, so when add the cookie you must use:
我刚遇到这个问题,在我的情况下的解决方案是添加 cookie 的路径,因此在添加 cookie 时必须使用:
document.cookie = 'cookieName=cookieValue;path=/';
document.cookie = 'cookieName=cookieValue;path=/';
this way the browser will be able to send the cookie in the new request.
这样浏览器将能够在新请求中发送 cookie。
PS: You also need the xhr.withCredentials = true;if you are using cross domain request.
PS:xhr.withCredentials = true;如果您使用跨域请求,您还需要。
回答by Andrew M. Andrews III
I had a similar problem, and it turned out that the browser settings were blocking third-party cookies (Chrome > Settings > Advanced Settings > Privacy > Content Settings > Block third-party cookies and site data). Unblocking solved the problem!
我遇到了类似的问题,结果发现浏览器设置阻止了第三方 cookie(Chrome > 设置 > 高级设置 > 隐私 > 内容设置 > 阻止第三方 cookie 和站点数据)。解锁解决了问题!
