通过 HTTPS 的 HTTP Cookie 和 Ajax 请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10230341/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
HTTP Cookies and Ajax requests over HTTPS
提问by NeXuS
I know this has been asked before in various forms, but I can't seem to get around the problem. I have tried using both jQuery and the native JS API to make the Ajax requests.
我知道之前已经以各种形式询问过这个问题,但我似乎无法解决这个问题。我曾尝试使用 jQuery 和本机 JS API 来发出 Ajax 请求。
My situation is the following (see attached diagram):
我的情况如下(见附图):
- Browser makes HTTP request
- Server responds and sets persistent Cookie
- Browser makes HTTP Ajax request, Cookie is there alright
- Server responds as expected, updates Cookie
- Browser makes HTTPS Ajax request, Cookie is not there anymore (?!)
- Server gives "default" response, since there is no Cookie (unintended behaviour)
- 浏览器发出 HTTP 请求
- 服务器响应并设置持久性 Cookie
- 浏览器发出 HTTP Ajax 请求,Cookie 就在那里
- 服务器按预期响应,更新 Cookie
- 浏览器发出 HTTPS Ajax 请求,Cookie 不再存在 (?!)
- 服务器给出“默认”响应,因为没有 Cookie(意外行为)
Before anybody starts a lecture on cross-domain requests let me state a couple of things:
在任何人开始关于跨域请求的讲座之前,让我陈述几件事:
- I know that this is a cross-domain request (different protocol), and that's why the Server sets the
Access-Control-Allow-Originheader in the response (and I am using Chrome and Firefox, both of which support CORS) - What I also know, though, is that the HTTP cookie ought to be manageable over HTTPS (see here) since the host is the same
- (EDIT) The cookie is properly set for the general domain (e.g. .domain.ext) and neither the HttpOnly nor the Secure flags are set
- 我知道这是一个跨域请求(不同的协议),这就是服务器
Access-Control-Allow-Origin在响应中设置标头的原因(我使用的是 Chrome 和 Firefox,两者都支持CORS) - 不过,我也知道 HTTP cookie 应该可以通过 HTTPS 进行管理(请参阅此处),因为主机是相同的
- (编辑)为一般域(例如 .domain.ext)正确设置了 cookie,并且 HttpOnly 和 Secure 标志都没有设置
So, why, why, why doesn't the browser pass on the cookie when making the HTTPS Ajax call? Any ideas? I am about to lose my mind...
那么,为什么,为什么,为什么浏览器在进行HTTPS Ajax调用时不传递cookie?有任何想法吗?我快要失去理智了...
+-----------+ HTTP Request +-----------+
|Browser |+---------------->|Server |
+-----------+ +-----------+
HTTP Response
<----------------+
Set-cookie
Ajax HTTP Req.
+---------------->
Cookie (OK)
HTTP Response
<----------------+
Set-cookie (OK)
Ajax HTTPS Req.
+---------------->
No Cookie (!!!)
回答by NeXuS
Ok, found the solution to the cookie problem.
好的,找到cookie问题的解决方案。
See XHR specs, jQuery docsand StackOverflow.
请参阅XHR 规范、jQuery 文档和StackOverflow。
The solution to have the cookies sent when switching protocol and/or subdomain is to set the withCredentialsproperty to true.
在切换协议和/或子域时发送 cookie 的解决方案是将withCredentials属性设置为true.
E.g. (using jQuery)
例如(使用 jQuery)
$.ajax( {
/* Setup the call */
xhrFields: {
withCredentials: true
}
});
回答by jaeuk Shin
Document.cookie and Ajax Request does not share the cookie. Otherwise, ajax can't access the cookies from document.cookie or the response headers. They can only be controlled by the remote domain.
Document.cookie 和 Ajax Request 不共享 cookie。否则,ajax 无法从 document.cookie 或响应头访问 cookie。它们只能由远程域控制。
If you first get response including cookie from server by ajax, Since that you can request ajax communication with cookie to server.
如果您首先通过ajax从服务器获得包括cookie的响应,那么您可以请求带有cookie的ajax通信到服务器。
For this case, you write such as below code ( jQuery )
对于这种情况,您编写如下代码(jQuery)
$.jajx({
xhrFields : {
withCredentials : true
}
});
See this articleand demo
