我正在使用基于Laravel的较新的PHP版本迁移旧的perl应用程序。这需要perl应用程序向新的Laravel应用程序发出XHR请求,并且我在Chrome中遇到了一些问题,并且返回了Cookie。
当我们已经登录这两个应用时,我试图向Laravel应用发出两个请求:第一个请求CSRF令牌,第二个使用该令牌发出POST请求。
我已将CORS配置为我正在发送和接收cookie的点,并且初始/令牌GET调用正常工作(根据XHR请求发送的cookie进行身份验证)
/ token调用然后返回一个带有laravel_session cookie的Set-Cookie标头(如预期的那样),但我的问题是以下POST请求正在发送同一个cookie的两个版本,而PHP似乎只是在查看不正确的,因此加载错误的会话并针对错误的CSRF令牌进行测试。
以下是所有3个请求的详细信息 - 正如您所看到的,最终的POST正在发送具有不同值的相同cookie的两个版本。 (为清晰起见,在Cookie标题中添加了换行符)
这仅发生在Chrome中,在Safari中,它似乎发送了正确的Cookie并且CSRF令牌已正确验证。 Chrome版本为45.0.2454.101。
令牌请求标头:
GET /token HTTP/1.1
Host: laravel.domain.com
Connection: keep-alive
Accept: */ *
Origin: https://perl.domain.com
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Referer: https://perl.domain.com/original/page.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: XSRF-TOKEN=eyJpdiI6Im5kSG02TVhsc08wUVZCZkd2WnZQa1E9PSIsInZhbHVlIjoiWFE0MXFBNlZIMnNXVHppXC9hN0dqNlJ2K1psUU9JZlFqTUdZZ3RJVmc0N1ZqV0MrVEczOGVFV0ExcDRDYmQxZDBTbFhGaWFiUkh5TGowOUgxdzVKOCtBPT0iLCJtYWMiOiJhOTYzNDFlZjUyYTdjMWFmMDE1MTFlMjczYTA0NTE2NThlYjVlNTkyOWUyZWNjZWM1MGYxODc4MmVjMTM5YTFhIn0%3D;
laravel_session=eyJpdiI6ImdSM0VTT25FUzZoY3JOeVwvN2JLWFFnPT0iLCJ2YWx1ZSI6Ilp3WHBFZlNuTnZibVMyMUlvbk1YM1YwdXF5VjRnTW1CNWVjUU1ReXlLZldSeEJxeTJFSmgyN2pyTjAydXlzMzE1TmJseWZrQmRraStDUkFqNTFReUp3PT0iLCJtYWMiOiI5MWMxM2YyNzFjOTY3ZjIxMmVjYmNlZWNlNDAzYjI2MjZkNmJhMzIyM2VlNTAwNGJlNTQ4OTU4OTMxZjJhYjE5In0%3D;
_ga=GA1.3.1924987937.1443461035;
_dc_gtm_UA-5119192-1=1
令牌响应标头:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://perl.domain.com
Cache-Control:no-cache
Connection:Keep-Alive
Content-Length:40
Content-Type:text/plain; charset=UTF-8
Date:Mon, 28 Sep 2015 17:24:18 GMT
Keep-Alive:timeout=2, max=80
P3P:policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa CUSa PSAa IVAa CONo OUR IND UNI STA"
Server:Apache
Set-Cookie:XSRF-TOKEN=eyJpdiI6ImFiT3ZSWWVDUnlKcWMraGFrWnBVY2c9PSIsInZhbHVlIjoiOTVnc05UM3puVGRwTUNUbDl3T1FNTVpWdGxVM29VaHNLSUt0XC9LTkhzMG5iOGlNbmhHXC9KMDBBTW9qRjZFQXZaSmlHTmhKUVpmTGdpXC80K0lkSUhUdnc9PSIsIm1hYyI6IjI5Njc1ZWE2NTRiYTY4NWJhMmE5Y2UwNjBlZDRkOWE4OGQwOWQ5NjE1YjAyNTMwNTFmZDczY2RjNzRiNjExNDIifQ%3D%3D; expires=Mon, 28-Sep-2015 19:24:23 GMT; Max-Age=7200; path=/
Set-Cookie:laravel_session=eyJpdiI6IjJqbTRyWG1GOEd1c2NIRnd4eE4yMGc9PSIsInZhbHVlIjoiZzk2SFE2emxcL0xGNjI3aGtYd1NmWURUVEduMVZVY2dYeUlRTVo2UTYyU0I2dFljalhxTjJSY3JFMGpvXC9nc2N0N3dJUFZYbGQya3pUNit1eWtrM3JqZz09IiwibWFjIjoiNDBhYzAzZjkwNDA5ZDE4Y2Y5ZjQ1MjdiYTUwYWU2M2Y5NjVjY2I1ZmMxZWFlMzAwZWM4MmVjNWRlYjM2Yjc2ZSJ9; expires=Mon, 28-Sep-2015 19:24:23 GMT; Max-Age=7200; path=/; httponly
Vary:Origin
X-Powered-By:PHP/5.5.9-1ubuntu4.11
预检请求标题:
OPTIONS /destination/of/post HTTP/1.1
Host: laravel.domain.com
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: https://perl.domain.com
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Access-Control-Request-Headers: accept, content-type
Accept: */*
Referer: https://perl.domain.com/original/page.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
预检响应标题:
HTTP/1.1 200 OK
Date: Mon, 28 Sep 2015 17:24:24 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Allow: POST
Cache-Control: no-cache, private
access-control-allow-credentials: true
access-control-allow-origin: https://www.readytoship.com.au
access-control-allow-methods: GET, POST, PUT, DELETE
access-control-allow-headers: ACCEPT, CONTENT-TYPE
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImVRTGM3Q1I5RUttXC83NlVLNEN3Z3ZRPT0iLCJ2YWx1ZSI6IlE0SVRjVnJHRHhRUXFYYUhZbVwvSEpLSFp2VVZSa0creW5OUzR2aFdXTEI5VWFEMzBCSkNjeHBzR0dycjVuYWxsOVJ4KzdNVWhhR3dMSmhiam8yUDZcL1E9PSIsIm1hYyI6ImRiYzE4ODRlMTAyOTFkMmY0NTI2YjkzMmExMGZjM2EzOTU2ZDc3N2Q1ZGQzYjNhM2EyNDY5YjhjNGIxMjVlMWYifQ%3D%3D; expires=Mon, 28-Sep-2015 19:24:24 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6InR5M3JjWkltaVdoSldIa3FsWVp2YUE9PSIsInZhbHVlIjoibjFuODdiVXRKQmdvU1hVcTdcL3VQeWF4K243d2h3Z3EwNWtVeTNWZUdBWGFWQ21QQXlid2RFSmNLSklpanVpZUNhZGE5UlU2Q1FqUCtnSVd4UWkwM2ZRPT0iLCJtYWMiOiI1ZjNjOWQyNmZlNGI1MDI5OGQxOGY2ZGI5M2M1MTMwNWRjZGY4MDVjMGViODNjYjg0MmU5ZWQ0MzRjNjYyN2VhIn0%3D; expires=Mon, 28-Sep-2015 19:24:24 GMT; Max-Age=7200; path=/; httponly
Vary: Accept-Encoding
Content-Encoding: gzip
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa CUSa PSAa IVAa CONo OUR IND UNI STA"
Content-Length: 3501
Keep-Alive: timeout=2, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST请求标头:
POST /destination/of/post HTTP/1.1
Host: laravel.domain.com
Connection: keep-alive
Content-Length: 72
Accept: application/json, text/javascript, */ *; q=0.01
Origin: https://perl.domain.com
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/json
Referer: https://perl.domain.com/original/page.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: _dc_gtm_UA-5119192-1=1; _ga=GA1.3.2141864485.1441288526;
__zlcmid=WXevTAW8aGLGrO;
XSRF-TOKEN=eyJpdiI6ImQ1TFRGaWFwK3cyd3RRa3BzbUNmc0E9PSIsInZhbHVlIjoiNGEydmlLWE96NzZueWtaWWlUa3UzMjZOK29NbmNPb2VidVdVYzdSbkZsaWJMVmxBRitLT05oK3hodUc1ejRMOWJWYzVIeEl6UlpzQ0dIeWlob3pFOFE9PSIsIm1hYyI6IjkzNTczMDJlOWVhZjM5NTU0NGEyNmE5YWNiODcxNDk4YmE0ODEyYTE3ZWExODBiMmNhNDFmMGFhMjVmNjhhYjgifQ%3D%3D;
laravel_session=eyJpdiI6IkIrc3QzUk1iQnNEKysxOEg2UCtSbmc9PSIsInZhbHVlIjoiYXVDalVhaUpDMms3K3AwZFVLV0EyMDMwK25tVUQyYWw5c1MxTVRkZ0ZvVWpcL2lZUndubitsQ2VVMDF1UFcwNzNsR1doNG9TY2diMEhadHdXMEoxamt3PT0iLCJtYWMiOiI5MjE1NWE0MGNmMDgyYzhlYjBjMDUwY2JhOGYxNThjZTM0MjMwM2E3M2VjZjg1ZTgxMzIxZjE5OTkzZDEzZDhhIn0%3D;
_ga=GA1.3.1924987937.1443461035;
_dc_gtm_UA-5119192-1=1;
XSRF-TOKEN=eyJpdiI6ImFiT3ZSWWVDUnlKcWMraGFrWnBVY2c9PSIsInZhbHVlIjoiOTVnc05UM3puVGRwTUNUbDl3T1FNTVpWdGxVM29VaHNLSUt0XC9LTkhzMG5iOGlNbmhHXC9KMDBBTW9qRjZFQXZaSmlHTmhKUVpmTGdpXC80K0lkSUhUdnc9PSIsIm1hYyI6IjI5Njc1ZWE2NTRiYTY4NWJhMmE5Y2UwNjBlZDRkOWE4OGQwOWQ5NjE1YjAyNTMwNTFmZDczY2RjNzRiNjExNDIifQ%3D%3D;
laravel_session=eyJpdiI6IjJqbTRyWG1GOEd1c2NIRnd4eE4yMGc9PSIsInZhbHVlIjoiZzk2SFE2emxcL0xGNjI3aGtYd1NmWURUVEduMVZVY2dYeUlRTVo2UTYyU0I2dFljalhxTjJSY3JFMGpvXC9nc2N0N3dJUFZYbGQya3pUNit1eWtrM3JqZz09IiwibWFjIjoiNDBhYzAzZjkwNDA5ZDE4Y2Y5ZjQ1MjdiYTUwYWU2M2Y5NjVjY2I1ZmMxZWFlMzAwZWM4MmVjNWRlYjM2Yjc2ZSJ9
POST响应标题
HTTP/1.0 302 Found
Date: Mon, 28 Sep 2015 17:24:24 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Cache-Control: no-cache
Location: https://laravel.domain.com/auth/login
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa CUSa PSAa IVAa CONo OUR IND UNI STA"
Content-Length: 416
Connection: close
Content-Type: text/html
答案 0 :(得分:1)
同名的两个cookie可能因为它们位于不同的路径,当您编辑cookie时,您必须指定与令牌响应标头中相同的路径和相同的域。
答案 1 :(得分:1)
额外的Cookie(laravel_session
和XSRF-TOKEN
)未在/ token请求中发送。这表明他们没有/
的路径。
此外,额外值不会出现在任何Set-Cookie
标题中
一些可能性/事情需要调查:
您展示的Set-Cookie
标题都有expires
& Max-Age
设置
这意味着它们会保存到Chrome的Cookie商店中
您可以转到Chrome Settings
,点击Show advanced settings
,点击Privacy > Content Settings
,然后点击All cookies and site data...
来检查存储的Cookie。
点击一个域名,它会为每个cookie显示一个“按钮”
点击这些内容可查看path
,expires
等,可能更重要的是 时设置了Cookie。