浏览器不保存从CORS请求获取的身份验证cookie
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了浏览器不保存从CORS请求获取的身份验证cookie相关的知识,希望对你有一定的参考价值。
====问题已解决====
下面描述的问题是由于未在基础xhr请求对象上正确设置属性'withCredentials'引起的。我们无法从下面给出的请求和响应的痕迹中看到。
对于Purescript用户:Affjax库的便利函数(put,get等)依赖于defaultRequest对象,该对象将此属性设置为false。
========================
在下面给出的请求和响应方案中,浏览器首先进行身份验证,然后尝试在Couchdb中创建数据库。
原点位于http://127.0.0.1,http://127.0.0.1:5984上的服务器,因此该请求被认为是跨域的。
此操作失败,并显示错误,指示客户端未经过身份验证。但是,就服务器而言,客户端进行了身份验证:它发送一个AuthSession cookie。问题是浏览器不会使用数据库创建请求返回该cookie。实际上,我无法通过任何Chrome界面找到cookie:它没有存储。
我完全不知道为什么。我检查了CORS规范(https://www.w3.org/TR/cors/#resource-sharing-check-0),据我所知,满足了接受cookie的所有要求。请求的原始域是http://127.0.0.1,此域位于Access-Control-Allow-Origin标头的内容中。请求的标头位于Access-Control-Allow-Headers标头的内容中。 Access-Control-Allow-Credentials为“true”。
对COUCHDB的预先认证请求
OPTIONS /_session HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
响应
HTTP/1.1 204 No Content
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: a307303b47
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Length: 0
Access-Control-Max-Age: 600
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Credentials: true
实际认证请求
POST /_session HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Content-Length: 35
Pragma: no-cache
Cache-Control: no-cache
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://127.0.0.1/dist/index.html?user=cor&password=geheim
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
响应
HTTP/1.1 200 OK
Set-Cookie: AuthSession=YWRtaW46NUE5NjY4MTc6DBUWBuYmEGnyuJvrpic7Z6DEiko; Version=1; Path=/; HttpOnly
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Type: application/json
Content-Length: 46
Cache-Control: must-revalidate
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Credentials: true
预先要求在COUCHDB中创建数据库
OPTIONS /_node/couchdb@localhost/_config/admins/cor HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: PUT
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
响应
HTTP/1.1 204 No Content
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: bd94200e3e
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Length: 0
Access-Control-Max-Age: 600
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Credentials: true
实际要求
PUT /_node/couchdb@localhost/_config/admins/cor HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Content-Length: 8
Pragma: no-cache
Cache-Control: no-cache
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://127.0.0.1/dist/index.html?user=cor&password=geheim
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
响应
HTTP/1.1 401 Unauthorized
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: 6eabdacc77
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Type: application/json
Content-Length: 64
Connection: close
Cache-Control: must-revalidate
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Credentials: true
下面描述的问题是由于未在基础xhr请求对象上正确设置属性'withCredentials'引起的。我们无法从下面给出的请求和响应的痕迹中看到。
对于Purescript用户:Affjax库的便利函数(put,get等)依赖于defaultRequest对象,该对象将此属性设置为false。
以上是关于浏览器不保存从CORS请求获取的身份验证cookie的主要内容,如果未能解决你的问题,请参考以下文章
CORS - 服务器端 cookie 未保存在 chrome 浏览器上
如果用于身份验证的 JWT 令牌保存在 HTTP-Only cookie 中,您如何从 cookie 中读取它以便我可以将其包含在请求标头中?