javascript AngularJS withCredentials 不发送
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22100084/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
AngularJS withCredentials Not Sending
提问by Devin Dixon
In AngularJS, I have my Restful API in a subdomain but I am having the problem where the cookie/session is not being shared across domains. For Angular I am doing this:
在 AngularJS 中,我在一个子域中有我的 Restful API,但是我遇到了 cookie/session 没有跨域共享的问题。对于 Angular,我这样做:
app.config(['$httpProvider',
function($httpProvider) {
$httpProvider.defaults.useXDomain = true;
$httpProvider.defaults.withCredentials = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
}]);
Also when I am making a request with $http I am doing
另外,当我用 $http 提出请求时,我正在做
var object = {};
object.url = '/example'
object.withCredentials = true;
$http(object).success(object.success).error(object.error);
And On my server side I have:
在我的服务器端,我有:
if($_SERVER['REQUEST_METHOD']=='OPTIONS') {
if(isset($_SERVER['HTTP_X_FOWARDED_HOST']) && !empty($_SERVER['HTTP_X_FOWARDED_HOST'])) {
$origin=$_SERVER['HTTP_X_FOWARDED_HOST'];
} else {
$origin=$_SERVER['HTTP_ORIGIN'];
}
if(isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && ($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='POST' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='DELETE' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='PUT')) {
header('Access-Control-Allow-Origin: '.$origin);
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: *,X-Requested-With,Content-Type');
//header('Access-Control-Allow-Headers: Content-Type');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT');
// http://stackoverflow.com/a/7605119/578667
header('Access-Control-Max-Age: 86400');
}
}
Now I see that the server is saying that it will allow credentials but its not being sent in the options request. Screenshot below.
现在我看到服务器说它将允许凭据,但它没有在选项请求中发送。截图如下。
What am I doing wrong?
我究竟做错了什么?
回答by Geoff Genz
By default credentials are NOT sent in a CORS pre-flight OPTIONS request. See here. See also this answer. The credentials will be sent on your actual request.
默认情况下,不会在 CORS 飞行前选项请求中发送凭据。见这里。另请参阅此答案。凭据将根据您的实际请求发送。
Also, useXDomain and X-Request-With headers are not actually used in current versions of angular, so those lines are doing nothing in your $httpProvider config. All CORS interaction is handled by the browser itself and your server.
此外, useXDomain 和 X-Request-With 标头实际上并未在当前版本的 angular 中使用,因此这些行在您的 $httpProvider 配置中没有任何作用。所有 CORS 交互都由浏览器本身和您的服务器处理。
In general to properly implement CORS your server should not require credentials on the preflight request. (Please note that some browsers send them anyway, but shouldn't.) This is because an OPTIONS request is considered "safe" and should never contain any confidential information.
一般来说,要正确实施 CORS,您的服务器不应要求预检请求中的凭据。(请注意,有些浏览器无论如何都会发送它们,但不应该。)这是因为 OPTIONS 请求被认为是“安全的”,不应包含任何机密信息。
It may be your problem is in the cookies you're trying to share across domains. What cookies are you trying to send where?
您的问题可能出在您尝试跨域共享的 cookie 中。你想把什么 cookie 发送到哪里?
