我有两个域: www.local 和 api.local 。我有 http://www.local/home/login 的登录页面,该页面接受用户名和密码,并对 http://api.local/auth 进行跨域POST,验证并返回JWT在cookie中(以及会话cookie)。
我设置了CORS,因此请求有效,我在我的ajax请求中使用了withCredentials: true
。 Cookie的域名设置为" local"路径是" /"。我希望浏览器能够看到来自子域的cookie,并将它们发送给http://local,www.local,api.local或任何其他子域的未来请求。
然而,这不会发生,我无法解释原因。以下是POST http://api.local/auth
的请求标头:
Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8,eo;q=0.6
Cache-Control:no-cache
Connection:keep-alive
Content-Length:29
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
DNT:1
Host:api.local
Origin:http://www.local
Pragma:no-cache
Referer:http://www.local/home/login
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
响应标题:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://www.local
Cache-Control:no-cache
Connection:keep-alive
Content-Type:text/html; charset=UTF-8
Date:Mon, 20 Jun 2016 15:44:31 GMT
Server:nginx/1.10.1
Set-Cookie:jwt=eyJpdiI6InlcL041NU5UaW8raXdHdnRaRUpvMG9BPT0iLCJ2YWx1ZSI6IkkyTWFhUEpPdlhFaVlmcVZrSUM1MFA4TUgwQ2VxZXlhYjlnVXFXMitJczg4OVN0bTZlVWVTT205SytYNUVERW1aMjBYelVMYXY4bEExUE9laXVNUkFQTk5ib2s2SGRNYkxhY1J6MTY3WitCUSt0N2dXTFowNDlSTGZ2WVZoWUJNbDVlUUtCZG8yTFg4SFNjZ0xLK0toTVR3b0dmY1dcL0RPTUZ6NXEwblgreHh6M3hCeEhTSmpWcUFubjRIQnRYSmU4SUg5dUt2c2xiOFRocHNzNTk3XC90Uk82V3pwWFZxM0g3aVM1OGpSM1ZHeHdlNHhEOWZ0VHY1SEtDKzBNM1NucHNxbXdaeU1neWpjTGRDS2pWUVpocjlHZVR1WkFraGcwbkpCSmNvU2ZwNGVzQzM4aHpSdHNqNUlTV1ZxK1wvdm1EWW14UmY3VjlFN0ZpOEcrT2ZYcTR0cExcL0gyT3B4RzJBaURxcW5ZamJmTWdhMTJ4Q0M3c3o3cW90eEpjbUFOc0giLCJtYWMiOiI5NDRjOTMyNTY4ZWMyY2ZkNzhhZDMwMjA1YjUwNzI5N2IyZTMwMTM3YjFkZmE3Njk4MTNlZjAxNjE1MmM3MGNlIn0%3D; expires=Sat, 19-Jun-2021 15:44:31 GMT; Max-Age=157680000; path=/; domain=local; HttpOnly
Set-Cookie:laravel_session=eyJpdiI6IlB5QTFKR2FZcnBJRFwvQTk4YmNweXVBPT0iLCJ2YWx1ZSI6ImxoMERSaWdTdzI5MGQzazE0RHZvS1NsbHFJWnJzSlE0a1pWcWcya2Y4Zng2enY3c2Y1eXlPeVZVNU9aVVp0ekVaYzg4ZktCV2hFenN1VWRQYjFid2dnPT0iLCJtYWMiOiJmNDYzYjkwM2NjZDI4YTI2ODFhMmU0NGNhY2JiMmI0NWY2OGMwYzQ4MmQ2NTIwMTBhZGNlYzRkNDUwNzZkNTgyIn0%3D; expires=Wed, 16-May-2018 02:23:31 GMT; Max-Age=59999940; path=/; domain=local; HttpOnly
Transfer-Encoding:chunked
Vary:Origin
X-Clockwork-Id:1466437471.4976.1730934611
X-Clockwork-Version:1.11.1
X-Powered-By:PHP/7.0.7
发出ajax请求的代码:
$.ajax
url: dest
method: 'post'
xhrFields:
withCredentials: true
data: postParams
beforeSend: (xhr, settings) =>
console.log settings.xhrFields # Prints "Object {withCredentials: true}"
success: (response) =>
console.log document.cookie # Prints ""
正如您所看到的,Cookie在响应中正确返回,但JS无法看到它们(而不是我需要它)。我可以从HttpOnly
Cookie中删除jwt
,但它没有任何区别(JS仍打印出来"")。此外,我对 http://www.local/jwt 的下一个请求不包含请求标头中的Cookie ...
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8,eo;q=0.6
Cache-Control:no-cache
Connection:keep-alive
Content-Length:29
Content-Type:application/x-www-form-urlencoded
DNT:1
Host:www.local
Origin:http://www.local
Pragma:no-cache
Referer:http://www.local/home/login
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
...当然PHP看不到任何cookie。