Laravel Cookie未保存在浏览器中

时间:2019-09-24 18:59:25

标签: javascript laravel http cookies axios

我正在使用Laravel 5.8,正在分离前端和后端,目前正在本地主机上进行测试。

我已经解决了一些严重的CORS问题,并且我不想要安装外部作曲家程序包来解决这种简单的问题。

我只是通过向GET发送/user请求来发起用户会话,以设置会话Cookie,启动会话并获取CSRF令牌。

一切正常,200响应并且没有CORS错误,尽管没有保存cookie。 Access-Control-Allow-Credentials: true已设置。

这是一个问题,因为要登录,CSRF令牌和cookie必须匹配。因此,如果用户未设置Cookie,则无法安全地进行身份验证。

作为cookie域,我正在使用http://localhost 

// The global Axios config I'm using to make all requests.

const main_axios = axios.create({
    baseURL: process.env.ROOT_API + process.env.API_VERSION,
    withCredentials: true,
    headers : {
        'Content-Type': 'application/x-www-form-urlencoded',
    },
});

获取对/user的请求以初始化Cookie,会话并获取csrf令牌:

Host: localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/
Origin: http://localhost:8080
DNT: 1
Connection: keep-alive
Cache-Control: max-age=0

响应:(200)

HTTP/1.1 200 OK
Host: localhost:8000
Date: Tue, 24 Sep 2019 14:45:02 -0400
Connection: close
X-Powered-By: PHP/7.2.11
Cache-Control: no-cache, private
Date: Tue, 24 Sep 2019 18:45:02 GMT
Content-Type: application/json
Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, DNT, X-Requested-With, Application
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:8080
Set-Cookie: XSRF-TOKEN=<...>; expires=Tue, 24-Sep-2019 20:45:02 GMT; Max-Age=7200; path=/; domain=http://localhost
Set-Cookie: smartgames_session=<...>; expires=Tue, 24-Sep-2019 20:45:02 GMT; Max-Age=7200; path=/; domain=http://localhost

响应正文

{"token":"8yNgrCV8YNs9fU46rSHky2vonzqrmN0S8blxzUWM"}

Set-Cookies不会保存在浏览器中。 console.log(document.cookie); ""

控制台没有显示我事先得到的CORS警告。

Cors中间件:

class Cors
{
    public function handle($request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, DNT, X-Requested-With, Application')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
            ->header('Access-Control-Allow-Credentials', 'true')
            ->header('Access-Control-Allow-Origin', 'http://localhost:8080');
    }
}

内核:

protected $middleware = [
    \App\Http\Middleware\Cors::class,
    ...
];

protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\Cors::class,
        ...
    ],
    ...
];

protected $routeMiddleware = [
    'cors' => \App\Http\Middleware\Cors::class,
    ...
];

protected $middlewarePriority = [
    \App\Http\Middleware\Cors::class,
    ...
];

路线:

Route::group(['middleware' => ['cors']], function () {

    // to get cookies and get csrf      
    Route::get('/user', 'API\v1\UserController@user_init');

    Auth::routes();
});

在启动服务器之前

$ php artisan cache:clear && php artisan route:cache && php artisan serve

任何帮助都非常感谢,我为此努力了很长时间。 谢谢大家

0 个答案:

没有答案
相关问题
最新问题