我的问题: 我有一个在2个不同域上运行的服务器和一个应用程序。
调用POST / login可以正常工作,并且正在向我返回一个cookie。 打电话给GET / projects我遇到了401。
如果您检查请求和响应,您将看到第二个项目调用发送了错误的cookie。似乎cookie设置不正确。
登录呼叫请求
Host: ***-***.herokuapp.com
Connection: keep-alive
Content-Length: 56
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: https://***.********.nl
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://***.********.nl/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,nl;q=0.7,de;q=0.6
登录呼叫响应
Server: Cowboy
Connection: keep-alive
X-Dns-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Access-Control-Allow-Origin: https://***.********.nl
Vary: Origin
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: 103
Etag: W/"67-AcqjF7Jne+FP4OtwKOHMGKpgbHY"
Set-Cookie: SessionId=s%3AyWaalYxA-qU2KY3gvGbg0x1K3Ro7jjwI.d%2B8CZS3m6YCKL0X1TQSlm2TW3ihUaV%2BnfGpj3SsylEE; Path=/; HttpOnly; Secure; SameSite=None
Date: Sat, 18 Jul 2020 18:26:41 GMT
Via: 1.1 vegur
项目呼叫请求
GET /api/v1/projects/ HTTP/1.1
Host: ***-***.herokuapp.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Origin: https://***.********.nl
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://***.********.nl/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,nl;q=0.7,de;q=0.6
Cookie: SessionId=s%3Am5eOkHADAMTBXXdbnB3WwaEjsM8M6uqZ.8Ew5jim5S0iXei4DvucMZ%2BQv8LbUYteBE%2Bt6pVvtzEM
项目调用响应
HTTP/1.1 401 Unauthorized
Server: Cowboy
Connection: keep-alive
X-Dns-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Access-Control-Allow-Origin: https://***.********.nl
Vary: Origin
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: 45
Etag: W/"2d-dzHmdZiZSbYibOdmu6CEgThdGrs"
Date: Sat, 18 Jul 2020 18:26:42 GMT
Via: 1.1 vegur
Express CORS配置
this.app.use(cors({
origin: ["https://********.nl", "https://***.********.nl", /\.********\.nl$/],
credentials: true
}))
Passport.js配置
cookie: {
production: true,
maxAge: null,
sameSite: 'none',
secure: true,
}
CloudFront配置
答案 0 :(得分:0)
这有点投机,但是由于太长而无法放入评论中,因此我尝试将其构造为答案...
这里的关键问题是其他cookie来自何处?我看到两种可能性:
您没有在问题中提到的一件事是第二个请求是否总是发送相同的cookie。这样一来,我们就可以区分上述两种情况。
我注意到原始的登录请求不包含$ cat .env
ENV=development
$ echo $ENV
$ echo $FOO
$ source .env
$ export FOO=foo
$ echo $ENV
development
$ echo $FOO
foo
$ python3
Python 3.7.7 (default, Mar 10 2020, 15:43:27)
[Clang 10.0.0 (clang-1000.11.45.5)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> print(os.getenv("ENV"))
None
>>> print(os.getenv("FOO"))
foo
请求标头。这很有趣,因为如果流氓cookie是旧的cookie,那么它也应该包含在该请求中。
基于所有这些,我的理论是,您不会在登录请求中将cookie
标志设置为withCredentials
。这可以解释为什么没有true
请求标头,也可以解释为什么忽略返回的cookie
响应标头。
请明确说明,您需要在两个请求上都设置set-cookie
。仅在第二个请求上设置它是不够的。假设第二个请求包含一个withCredentials
头,则似乎第二个请求已经设置了cookie
。
我还建议您看看withCredentials
。这将准确显示设置了哪些Cookie,还允许您删除特定的Cookie。尝试删除相关的cookie,然后在登录时查看它是否被设置。