我在domain.com和upload.domain.com上使用Laravel5.1,相同的脚本(复制粘贴并更改了配置文件中的网站网址)。
会话域设置为.domain.com并且在upload.domain.com上我已将所有CORS标头添加到upload.domain.com并且ajax帖子工作正常,并使用数据库进行会话。
我有以下nginx配置:
location /upload {
add_header Access-Control-Expose-Headers Accept-Ranges;
add_header Access-Control-Expose-Headers Content-Encoding;
add_header Access-Control-Expose-Headers Content-Length;
add_header Access-Control-Expose-Headers Content-Range;
add_header accept_ranges bytes;
upload_state_store /tmp;
upload_resumable on;
add_header Pragma no-cache;
add_header X-Content-Type-Options nosniff;
#add_header Cache-control "no-story, no-cache, must-revalidate";
# Access control for CORS
{ ....}
add_header X-CSRF-Token $HTTP_X_CSRF_TOKEN;
add_header X-XSRF-TOKEN $HTTP_X_CSRF_TOKEN;
upload_set_form_field "_token" $HTTP_X_CSRF_TOKEN;
client_max_body_size 4096m;
upload_pass /internal_upload;
upload_pass_args on;
upload_store /storage/uploaded 1;
upload_store_access user:r group:r all:r;
upload_set_form_field $upload_field_name.name "$upload_file_name";
upload_set_form_field $upload_field_name.path "$upload_tmp_path";
upload_cleanup 400 404 499 500-505;
}
location / internal_upload {
proxy_pass http://upload.domain.com/fileupload/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
在执行XHR2请求时,我使用以下命令通过标头传递令牌:
xhr.setRequestHeader("X-CSRF-Token", globalObj._token );
xhr.setRequestHeader("X-XSRF-TOKEN", globalObj._token );
最后,当nginx将数据传递到子域上的后端应用程序时,问题出现在最后一步,引发了令牌不匹配异常。
我还注意到domain.com设置了一个名为X-XSRF-TOKEN的cookie,并使用domain.com作为域名,upload.domain.com设置了另一个域名为upload.domain.com的X-XSRF-TOKEN令牌。这是正常的,因为两个应用程序都设置了X-XSRF-TOKEN并且值不相等,我想这可能是问题,或者nginx可能会剥离一些数据,然后将它们传递给后端?
答案 0 :(得分:0)
对于将来的引用,我必须发送在主域中设置的cookie以及xhr2请求。这可以通过将xhr设置更改为:
来完成xhr.withCredentials = true;