我的响应中存在一个set-cookie标头,但浏览器似乎没有存储它(在邮递员中,它就像一个符咒一样工作)。我的API是用.NET Core编写的,并且我在客户端上使用axios(反应)。但是,出于SSR的目的,客户端请求将通过快速服务器进行代理。
我已经尝试过在此处发布多种解决方案。从在axios中将withCredentials设置为true的基础到将服务器上的MinimumSameSitePolicy设置为none(在代码中可以看到)。
服务器
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => false;
options.MinimumSameSitePolicy = SameSiteMode.None;
options.ConsentCookie.HttpOnly = false;
});
..........
app.UseCookiePolicy(new CookiePolicyOptions
{
MinimumSameSitePolicy = SameSiteMode.None,
HttpOnly = HttpOnlyPolicy.None
});
客户
const axiosInstance = axios.create({
baseURL: '/api',
withCredentials: true,
headers: {
'Access-Control-Allow-Origin': 'http://localhost:3000/',
'Content-Type': 'application/json'
}
});
代理
app.use(
'/api',
proxy('https://localhost:44364/', {
proxyReqOptDecorator(opts) {
opts.rejectUnauthorized = false;
opts.headers['x-forwarded-host'] = 'localhost:3000';
return opts;
},
proxyReqPathResolver(req) {
return `/api${req.url}`;
}
})
);
带有cookie的响应:
HTTP/1.1 200 OK
x-powered-by: ASP.NET
cache-control: no-cache
pragma: no-cache
content-type: text/plain; charset=utf-8
expires: Thu, 01 Jan 1970 00:00:00 GMT
server: Kestrel
set-cookie: .AspNetCore.Cookies=CfDJ8KvV0sFM8_FJqzJkoUey_LvYSADPHUA20Mq40db0KYSbL9Q2ZjS2JW87G8CzcTDBIpG1H6mZ_nuThzOniga7oRpguIgi3xIFCjkY5D0DXwT98ZVejY7nzLaCmV9rGLMkkqqADbr0zzwUkzXQqtWMtubY0cdHXPskTWFucMjjYk0BU4eCuWOjRzooL-QtwYtDClP720LVetm8lZGvAS6jfYpk-HWZIQiDo1ERKqhyIWKYqSFBEN0nV4ykL6KhfqEjcK8URzTEnBxdV7dCpk287smjAzTvOziRWfO6BtpxXC2tZ9NBeTLLqitn_CaAypewt9qMnjMi75zazo6yicRlTsDp-i3LT0OkD_ls1celSeG1VPlTg0OMVm0nADpZurMT9LSrijsSrcFT0wvNSTeW9vE; path=/; secure; samesite=lax; httponly
x-sourcefiles: =?UTF-8?B?QzpcVXNlcnNcTWFrYWxhXERlc2t0b3BcUm91dG9yaWFsXFJvdXRvcmlhbEFQSVxSb3V0b3JpYWxBUElcUm91dG9yaWFsQVBJXGFwaVxhY2NvdW50XGxvZ2luU3VibWl0?=
date: Sun, 26 May 2019 15:47:32 GMT
connection: close
Content-Length: 6
ETag: W/"6-+3OfqLi6+pGCkKvbVPPQANDiBD4"
答案 0 :(得分:0)
在2.0版中,asp.net核心引入了新的行为:默认情况下,它向所有set-cookie标头添加了<Shell xmlns="http://xamarin.com/schemas/2014/forms"
xmlns:x="http://schemas.microsoft.com/winfx/2009/xaml"
x:Class="XamShell.Views.ListOfProductsPage"
Visual="Material"
xmlns:local="clr-namespace:XamShell.Views"
FlyoutBehavior="Flyout"
xmlns:controls="clr-namespace:XamShell.Controls"
Routing.Route="ProductList">
<Shell.FlyoutHeader>
<controls:FlyoutHeader/>
</Shell.FlyoutHeader>
<local:HomePage />
</Shell>
FlyoutHeader
<Grid BackgroundColor="White">
<BoxView
BackgroundColor="Yellow"
Opacity="0.6" />
<Label Text="Animals"
TextColor="Red"
FontAttributes="Bold"
HorizontalTextAlignment="Center"
VerticalTextAlignment="Center" />
</Grid>
属性。
samesite=lax的Cookie策略中间件设置可能会影响您在MinimumSameSitePolicy中设置的Cookie.SameSite
尝试在Startup.ConfigureServices中显式覆盖此默认行为:
CookieAuthenticationOptions答案 1 :(得分:0)
谢谢@Xing Zou!您的回答很接近,使我思考正确的方向。 CookiePolicyOptions根本不起作用,似乎也没有覆盖默认选项。 相反,我使用了
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
});
在ConfigureServices和
中 app.UseAuthentication();
在“配置”中。
当浏览器具有安全标志时,它没有设置cookie,因此必须将其禁用
options.Cookie.SecurePolicy = CookieSecurePolicy.None;