响应中存在 CORS 设置 cookie 标头,但未创建 cookie

时间:2021-04-08 13:06:44

标签: http go cookies axios cross-domain

我正在尝试从 Go (127.0.0.1:8080) 中制作的 API 在我的客户端 (127.0.0.1:3000) 中创建一个 cookie,我想我已经在 CORS 所需的响应中添加了大多数标头,并且cookie 具有 samesite=nonesecure=true,但仍未设置。下面我添加了 chrome devtools 网络选项卡中显示的请求和响应的图片,以及发出请求的 axios 代码和在 API 服务器中处理请求的 go 代码。

开始:

//Handles account sign ins
func Login(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
    fmt.Println("login handler")
    //decoder := json.NewDecoder(r.Body)
    //var t models.LoginUserData
    //err := decoder.Decode(&t)
    //if err != nil {
    //  log.Println(err)
    //}
    //middleware.SignIn(t.User.Username, t.User.Password)

    http.SetCookie(w, &http.Cookie{Name: "sabor", Value: "merda", Path: "/", HttpOnly: false, SameSite: http.SameSiteNoneMode, Secure: true, Domain: "127.0.0.1"})
    header := w.Header()
    header.Set("Access-Control-Allow-Credentials", "true")

    //header.Set("Access-Control-Expose-Headers", "Set-Cookie")
    header.Set("Access-Control-Allow-Headers", "Content-Type, withCredentials")
    header.Set("Access-Control-Allow-Origin", "http://127.0.0.1:3000")
    header.Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
    w.WriteHeader(http.StatusOK)
}

Axios:

let config = {
      headers: {
        withCredentials: true,
      },
    };

axios
      .post(
        "http://127.0.0.1:8080/login",

        {
          User: {
            Username: username,
            Password: password,
          },
        },

        config
      )
      .then(function (response) {
        console.log(response)
        console.log(response.data)
        console.log(response.headers)
        console.log(response.data.cookie)
        if (response.status === 200) {
          console.log("if works")
          
        }
      })
      .catch(function (error) {
        console.log(error);
      });

请求和响应图片: Request and response image

1 个答案:

答案 0 :(得分:1)

您将 cookie 标记为“安全”(HTTPS),但是对您的 API 的请求是通过不安全的 (HTTP) 连接发出的。

<块引用>

Secure 属性将 cookie 的范围限制为“安全” 通道(其中“安全”由用户代理定义)。当一个 cookie 具有 Secure 属性,用户代理将包括 仅当请求通过 安全通道(通常是 HTTP over Transport Layer Security (TLS)) 请参阅https://tools.ietf.org/html/rfc6265

你可以在下面试试这个;

func Login(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
    // In case you don't have separate CORS middleware
    if r.Method == http.MethodOptions {
        header := w.Header()
        header.Set("Access-Control-Allow-Credentials", "true")
        header.Set("Access-Control-Allow-Headers", "Content-Type, withCredentials")
        header.Set("Access-Control-Allow-Origin", "http://localhost:3000")
        header.Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
        w.WriteHeader(http.StatusOK)
        return
    }
    
    http.SetCookie(w, &http.Cookie{Name: "sabor", Value: "merda", Path: "/", HttpOnly: false, SameSite: http.SameSiteNoneMode, Secure: false, Domain: "localhost"})
    
}

而从 axios 中,只需将端点替换为 localhost; axios.post( "http://localhost:8080/login", ...

相关问题
最新问题