浏览器不保存从CORS请求获取的身份验证cookie

时间:2018-02-28 10:20:47

标签: cors session-cookies couchdb-2.0

====问题已解决====

下面描述的问题是由于未在基础xhr请求对象上正确设置属性'withCredentials'引起的。我们无法从下面给出的请求和响应的痕迹中看到。

对于Purescript用户:Affjax库的便利函数(put,get等)依赖于defaultRequest对象,该对象将此属性设置为false。

========================

在下面给出的请求和响应方案中,浏览器首先进行身份验证,然后尝试在Couchdb中创建数据库。

原点位于http://127.0.0.1http://127.0.0.1:5984上的服务器,因此该请求被视为跨域。

此操作失败,并显示一条错误,指示客户端未经过身份验证。但是,就服务器而言,客户端进行了身份验证:它发送一个AuthSession cookie。问题是浏览器不会使用数据库创建请求返回该cookie。实际上,我无法通过任何Chrome界面找到cookie:它没有存储。

我完全不知道为什么。我检查了CORS规范(https://www.w3.org/TR/cors/#resource-sharing-check-0),据我所知,满足了接受cookie的所有要求。 请求的原始域为http://127.0.0.1,此域位于Access-Control-Allow-Origin标头的内容中。 请求的标头位于Access-Control-Allow-Headers标头的内容中。 Access-Control-Allow-Credentials为“true”。

对COUCHDB的预先认证请求

OPTIONS /_session HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

RESPONSE

HTTP/1.1 204 No Content
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: a307303b47
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Length: 0
Access-Control-Max-Age: 600
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Credentials: true

实际认证请求

POST /_session HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Content-Length: 35
Pragma: no-cache
Cache-Control: no-cache
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://127.0.0.1/dist/index.html?user=cor&password=geheim
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

RESPONSE

HTTP/1.1 200 OK
Set-Cookie: AuthSession=YWRtaW46NUE5NjY4MTc6DBUWBuYmEGnyuJvrpic7Z6DEiko; Version=1; Path=/; HttpOnly
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Type: application/json
Content-Length: 46
Cache-Control: must-revalidate
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Credentials: true

预先要求在COUCHDB中创建数据库

OPTIONS /_node/couchdb@localhost/_config/admins/cor HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: PUT
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

RESPONSE

HTTP/1.1 204 No Content
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: bd94200e3e
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Length: 0
Access-Control-Max-Age: 600
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Credentials: true

实际请求

PUT /_node/couchdb@localhost/_config/admins/cor HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Content-Length: 8
Pragma: no-cache
Cache-Control: no-cache
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://127.0.0.1/dist/index.html?user=cor&password=geheim
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

RESPONSE

HTTP/1.1 401 Unauthorized
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: 6eabdacc77
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Type: application/json
Content-Length: 64
Connection: close
Cache-Control: must-revalidate
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Credentials: true

1 个答案:

答案 0 :(得分:0)

下面描述的问题是由于未在基础xhr请求对象上正确设置属性'withCredentials'引起的。我们无法从下面给出的请求和响应的痕迹中看到。

对于Purescript用户:Affjax库的便利函数(put,get等)依赖于defaultRequest对象,该对象将此属性设置为false。