CORS $.ajax 会话 cookie (access-control-allow-credentials & withCredentials=true)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13457772/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CORS $.ajax session cookies (access-control-allow-credentials & withCredentials=true)
提问by jas-
I realize this question has been asked a dozen or more times and each response given indicates I am doing it right but perhaps I am missing something.
我意识到这个问题已经被问过十几次了,给出的每个回答都表明我做得对,但也许我遗漏了一些东西。
AJAX serves up CORS request like so...
AJAX 像这样提供 CORS 请求......
$.ajax({
url: 'someotherdomain.com',
type: 'post',
data: {key: 'value'},
dataType: 'json',
async: false,
crossDomain: true,
beforeSend: function(xhr){
xhr.withCredentials = true;
},
success: function(x, status, xhr){
},
error: function(xhr, status, error){
}
});
PHP serves up CORS requests like so...
PHP 像这样提供 CORS 请求......
header('Access-Control-Max-Age: 1728000');
header('Access-Control-Allow-Origin: http://someotherdomain.com');
header('Access-Control-Allow-Methods: POST');
header('Access-Control-Allow-Headers: Content-MD5, X-Alt-Referer');
header('Access-Control-Allow-Credentials: true');
header("Content-Type: application/json; charset=utf-8");
According to all documentation as long as the 'Access-Control-Allow-Credentials' server side header, and the 'withCredentials=true' client side header is set session cookie handling between the domains should be transparent. Am I missing something?
根据所有文档,只要设置了“Access-Control-Allow-Credentials”服务器端标头和“withCredentials=true”客户端标头,域之间的会话 cookie 处理就应该是透明的。我错过了什么吗?
采纳答案by jas-
async: false
was preventing the session cookie from being sent back to the server on each request. The following fixed it.
阻止会话 cookie 在每次请求时发送回服务器。以下修复了它。
async: true
Although this does allow for the session cookie to get set by the browser when making a cross origin request sharing call, I am now experiencing problems regarding the following scenario:
虽然这确实允许在进行跨源请求共享调用时由浏览器设置会话 cookie,但我现在遇到以下情况的问题:
Server A sends response to client Client using CORS makes request of server B
服务器 A 使用 CORS 向客户端发送响应 客户端向服务器 B 发出请求
XMLHttpRequest -> PHP -> Session handler -> MySQL -> Stored Procedure
Due to the MUTEX locks in the PHP session management the asynchronous nature and apparently, requirement may force a work around of manually setting the cookie with a different header option such as XCookie or something similar to keep the servers session and client requests synchronized.
由于 MUTEX 锁定 PHP 会话管理中的异步性质,显然,要求可能会强制使用不同的标头选项(例如 XCookie 或类似的东西)手动设置 cookie,以保持服务器会话和客户端请求同步。
This particular work around does not sit well with me as I believe it would open up an easy lane of travel for session hiHymaning and session replay attack vectors.
这种特殊的解决方法并不适合我,因为我相信它会为会话劫持和会话重放攻击向量开辟一条简单的通道。
Using an SSL/TLS wrapped connection may assist in preventing the above scenario but in terms of independently providing security measures for the client I do not believe this should suffice.
使用 SSL/TLS 包装连接可能有助于防止上述情况,但就独立为客户端提供安全措施而言,我认为这还不够。
Anyone with any thoughts on this?
有人对此有任何想法吗?
回答by monsur
In your example above, you are setting the Access-Control-Allow-Origin header to 'http://someotherdomain.com', which is the same as the url you are requesting from JQuery. The Access-Control-Allow-Origin header should be the value of the domain the request is coming from. As a quick, test, try setting the value of this header to '*' (without the quotes) and see if it works ('*' means all domains are allowed).
在上面的示例中,您将 Access-Control-Allow-Origin 标头设置为“http://someotherdomain.com”,这与您从 JQuery 请求的 url 相同。Access-Control-Allow-Origin 标头应该是请求来自的域的值。作为快速测试,尝试将此标头的值设置为 '*'(不带引号)并查看它是否有效('*' 表示允许所有域)。
