Set-Cookie 标头未出现在 Google Chrome 中

Posted

技术标签:

【中文标题】Set-Cookie 标头未出现在 Google Chrome 中【英文标题】:Set-Cookie Header Not Appearing In Google Chrome 【发布时间】:2019-09-08 05:48:15 【问题描述】:

问题

我正在运行一个带有设置 cookie 的 Post 端点的 Spring Boot 服务器。从我的 Angular 应用程序向端点发出请求时,我在 Chrome 的开发控制台的响应标头中看不到 Set-Cookie 标头。为什么 Set-Cookie 标头不显示?

调查总结

使用 curl 时,Set-Cookie 响应标头确实显示在响应标头中,Set-Cookie 也存在于 Safari 上,并且它显示在 chrome net-export 日志中。

环境

我在我的 Mac 上的 /etc/hosts 文件中为 xxx.com 添加了一个条目以指向我的本地主机。 我在http://example.com:4200 使用ng serve --host 0.0.0.0 --disable-host-check 命令托管角度用户界面。 我正在http://example.com:8080 运行 Spring Boot 服务器 感兴趣的后端点位于http://example.com:8080/accounts/v1/user/authenticate 使用最新版chromeVersion 73.0.3683.103 (Official Build) (64-bit)

尝试调试

Safari

Set-Cookie 标头在 Safari 开发者控制台的响应标头中可见。

Chrome 开发者控制台

前往 devconsole -> 网络 -> 验证请求。我查看了请求和响应标头,但 Set-Cookie 不存在。

请求标头

Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: http://example.com:4200
Referer: http://example.com:4200/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/73.0.3683.103 Safari/537.36

响应标头

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://example.com:4200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Type: application/json;charset=UTF-8
Date: Wed, 17 Apr 2019 21:58:52 GMT
Expires: 0
Pragma: no-cache
Server: nginx/1.15.6
Transfer-Encoding: chunked
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

使用 Chrome chrome://net-export/

我保存了发布请求的日志。有趣的是,Set-Cookie 标头确实出现在这些日志中。此外,Cookie 标头也确实出现在请求中(可能是从之前的尝试中保存的)。

t=190196 [st=  0] +REQUEST_ALIVE  [dt=125]
                   --> priority = "MEDIUM"
                   --> url = "http://example.com/accounts/v1/user/authenticate"
t=190196 [st=  0]    NETWORK_DELEGATE_BEFORE_URL_REQUEST  [dt=0]
t=190196 [st=  0]   +URL_REQUEST_START_JOB  [dt=124]
                     --> load_flags = 0 (NORMAL)
                     --> method = "POST"
                     --> privacy_mode = 0
                     --> upload_id = "0"
                     --> url = "http://example.com/accounts/v1/user/authenticate"
t=190197 [st=  1]      NETWORK_DELEGATE_BEFORE_START_TRANSACTION  [dt=0]
t=190197 [st=  1]      HTTP_CACHE_GET_BACKEND  [dt=0]
t=190197 [st=  1]     +HTTP_STREAM_REQUEST  [dt=0]
t=190197 [st=  1]        HTTP_STREAM_JOB_CONTROLLER_BOUND
                         --> source_dependency = 16598 (HTTP_STREAM_JOB_CONTROLLER)
t=190197 [st=  1]        HTTP_STREAM_REQUEST_BOUND_TO_JOB
                         --> source_dependency = 16599 (HTTP_STREAM_JOB)
t=190197 [st=  1]     -HTTP_STREAM_REQUEST
t=190197 [st=  1]      UPLOAD_DATA_STREAM_INIT  [dt=0]
                       --> is_chunked = false
                       --> net_error = 0 (?)
                       --> total_size = 43
t=190197 [st=  1]     +HTTP_TRANSACTION_SEND_REQUEST  [dt=0]
t=190197 [st=  1]        HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                         --> POST /accounts/v1/user/authenticate HTTP/1.1
                             Host: example.com
                             Connection: keep-alive
                             Content-Length: 43
                             Accept: application/json, text/plain, */*
                             Origin: http://example.com:4200
                             User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
                             Content-Type: application/json
                             Referer: http://example.com:4200/
                             Accept-Encoding: gzip, deflate
                             Accept-Language: en-US,en;q=0.9
                             Cookie: Authorization="xxxx"
t=190197 [st=  1]        HTTP_TRANSACTION_SEND_REQUEST_BODY
                         --> did_merge = false
                         --> is_chunked = false
                         --> length = 43
t=190197 [st=  1]        UPLOAD_DATA_STREAM_READ  [dt=0]
                         --> current_position = 0
t=190197 [st=  1]        UPLOAD_DATA_STREAM_READ  [dt=0]
                         --> current_position = 43
t=190197 [st=  1]     -HTTP_TRANSACTION_SEND_REQUEST
t=190197 [st=  1]     +HTTP_TRANSACTION_READ_HEADERS  [dt=122]
t=190197 [st=  1]        HTTP_STREAM_PARSER_READ_HEADERS  [dt=122]
t=190319 [st=123]        HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                         --> HTTP/1.1 200 OK
                             Server: nginx/1.15.6
                             Date: Wed, 17 Apr 2019 21:27:35 GMT
                             Content-Type: application/json;charset=UTF-8
                             Transfer-Encoding: chunked
                             Connection: keep-alive
                             Expires: 0
                             Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                             Set-Cookie: Authorization="xxxx"; Version=1; Domain=.example.com; Max-Age=1031; Expires=Wed, 17-Apr-2019 21:44:46 GMT
                             X-XSS-Protection: 1; mode=block
                             Pragma: no-cache
                             X-Frame-Options: DENY
                             Access-Control-Allow-Origin: http://example.com:4200
                             Vary: Origin
                             Vary: Access-Control-Request-Method
                             Vary: Access-Control-Request-Headers
                             Access-Control-Allow-Credentials: true
                             X-Content-Type-Options: nosniff
t=190319 [st=123]     -HTTP_TRANSACTION_READ_HEADERS
t=190319 [st=123]      NETWORK_DELEGATE_HEADERS_RECEIVED  [dt=0]
t=190320 [st=124]   -URL_REQUEST_START_JOB
t=190320 [st=124]    URL_REQUEST_DELEGATE_RESPONSE_STARTED  [dt=0]
t=190320 [st=124]    HTTP_TRANSACTION_READ_BODY  [dt=1]
t=190321 [st=125]    URL_REQUEST_JOB_FILTERED_BYTES_READ
                     --> byte_count = 698
                     --> bytes = "xxxx"
t=190321 [st=125]    HTTP_TRANSACTION_READ_BODY  [dt=0]
t=190321 [st=125] -REQUEST_ALIVE

使用 Chrome 选项

一些帖子建议禁用此 chrome 选项 chrome://flags/#site-isolation-trial-opt-out。但这没有任何效果。

角度

在我的 Angular 发布请求中添加了 withCredentials: true 选项。但这并没有解决问题。

卷曲

我尝试使用 curl 模拟来自 UI 的请求

curl -i -H 'Origin: http://example.com:4200' -H 'Accept: application/json, text/plain, */*' -H 'Content-Type: application/json' -H 'Referer: http://example.com:4200/' --request POST --data '"primaryEmailAddress":"testest@gmail.com"' http://example.com:8080/accounts/v1/user/authenticate

请求的响应标头包含设置的 cookie 标头

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: Authorization="Bearer xxxx"; Version=1; Domain=.example.com; Max-Age=545; Expires=Wed, 17-Apr-2019 22:00:46 GMT
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Date: Wed, 17 Apr 2019 21:51:41 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://example.com.com:4200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
Transfer-Encoding: chunked
Content-Type: application/json;charset=UTF-8

【问题讨论】:

【参考方案1】:

我注意到了同样的行为(使用 Chrome 75)。我不知道为什么 Chrome 开发工具没有在 Network 选项卡下显示 Set-Cookie 响应标头。 (看起来应该。)但是,如果您查看“应用程序”选项卡(请参阅应用程序 -> 存储 -> Cookies),您可以验证 cookie 是否已设置。在那里,您还可以编辑和清除 cookie。

【讨论】:

【参考方案2】:

这似乎是由于 Chrome 中的错误所致。将 Chrome 更新到最新版本为我解决了这个问题。

【讨论】:

以上是关于Set-Cookie 标头未出现在 Google Chrome 中的主要内容,如果未能解决你的问题,请参考以下文章

为啥浏览器会忽略 set-cookie 标头,并且未使用 fetch 从 Ajax 调用中保存 cookie?

在 chrome 中显示时没有 Set-Cookie 标头

Set-cookie标头不保存cookie

Wininet 是不是处理 HTTP 标头值“Set-Cookie”?

为啥我看到多个 set-cookie 标头?

为啥 Chrome 会忽略 Set-Cookie 标头?