在不安全的域上允许 cookie
Posted
技术标签:
【中文标题】在不安全的域上允许 cookie【英文标题】:Allow cookie on unsecure domain 【发布时间】:2021-12-22 18:17:19 【问题描述】:我的项目在 https://localhost:5001 上运行,我想从运行在 http://localhost:3000 上的站点访问它。
http://localhost:3000 上的站点可以发出成功的身份验证请求,但在 JsonServiceClient 中没有设置身份验证 cookie。
在 https 上运行,cookie 设置正确。
这些是标题:
General
Request URL: https://localhost:5001/json/reply/Authenticate
Request Method: POST
Status Code: 200
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin
Response
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-type: application/json; charset=utf-8
date: Wed, 10 Nov 2021 04:03:44 GMT
server: Kestrel
set-cookie: ss-id=yjHzB7bEOgfKvSOy1hEL; path=/; secure; samesite=lax; httponly
set-cookie: ss-pid=8bGyiksCKX2TFcpvHOnE; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-opt=temp; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: X-UAId=1; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
vary: Accept
x-powered-by: ServiceStack/5.120 NetCore/Windows
request
:authority: localhost:5001
:method: POST
:path: /json/reply/Authenticate
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en,en-GB;q=0.9
cache-control: no-cache
content-length: 52
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/95.0.4638.69 Safari/537.36
我正在尝试找到正确的设置以允许在非安全域上使用 cookie。 Auth 插件已将会话添加到项目中。
我试过了:
SetConfig(new HostConfig
AddRedirectParamsToQueryString = true,
DebugMode = AppSettings.Get(nameof(HostConfig.DebugMode), HostingEnvironment.IsDevelopment()),
UseHttpOnlyCookies = false,
UseSecureCookies = false,
);
但它仍然没有为后续请求保存 cookie。
我需要设置什么来允许 http 上的 cookie?
编辑:
科斯:
appHost.Plugins.Add(new CorsFeature(
allowOriginWhitelist: new[]
"https://localhost:5001",
"http://localhost:3000",
"https://localhost:3000"
,
allowCredentials: true,
allowedHeaders: "Content-Type, Allow, Authorization, X-Args"));
我正在像这样创建打字稿客户端:
let client = new JsonServiceClient(environment.apiUrl);
let req = new Authenticate();
req.userName = email;
req.password = password;
req.rememberMe =rememberMe;
let resp = await client.post(req);
后续请求失败:
equest URL: https://localhost:5001/json/reply/NextInputRequest
Request Method: GET
Status Code: 401
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-length: 0
date: Wed, 10 Nov 2021 06:23:58 GMT
server: Kestrel
set-cookie: ss-pid=bS8yNkiGoDuJpkTicMry; expires=Sun, 10 Nov 2041 06:23:59 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-id=1c38cciEgpnwTEg5DDaf; path=/; secure; samesite=lax; httponly
vary: Accept
www-authenticate: credentials realm="/auth/credentials"
x-powered-by: ServiceStack/5.120 NetCore/Windows
:authority: localhost:5001
:method: GET
:path: /json/reply/NextInputRequest
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en
cache-control: no-cache
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
【问题讨论】:
【参考方案1】:如果这个CORS请求不是来自默认配置为发送cookie的@servicestack/client JsonServiceClient,它需要是configured to include the credentials,例如:
fetch('https://example.com',
credentials: 'include'
);
如果您认为一切都已正确配置,请检查它是否不是 Chrome localhost Cookies bug 的结果。
否则,需要大量相关信息来帮助识别缺失的问题:
Cors Feature 的配置。 显示用于发出 CORS 请求的客户端代码 失败的 HTTP 请求/响应标头未能包含 cookie 浏览器开发控制台中的错误截图,例如网络检查员【讨论】:
您好,mythz 感谢您的回复。我更新了问题。我在 chrome 中尝试了隐身模式,但行为相同。奇怪的是,如果我在 Firefox 中尝试,它不会让初始请求通过,直到我选择允许在 5001 上进行自签名证书的选项(它是调试中默认使用的 asp.net 开发根证书)。在我允许之后,一切正常,所以我认为这必须是一个特定于 chrome 的错误,它要么不喜欢缺少前端证书,要么正在检测 Visual Studio ssl 证书。感谢您的关注,似乎不是 SS 问题 @Guerrilla 无法从这里识别问题,Chrome 或 Firefox 的开发控制台中是否还有其他 CORS 错误?您能否尝试在http://localhost:5000
上托管以查看我们的自签名 SSL 证书问题。
我设置了UseSameSiteCookies = false, UseSecureCookies = true
,然后它就起作用了。我认为问题是 cookie 中的相同站点值,但这似乎使它起作用。以上是关于在不安全的域上允许 cookie的主要内容,如果未能解决你的问题,请参考以下文章
CSRF 保护如何为我提供比 CORS 控制更高的安全性(前端/后端位于两个不同的域)?