允许在不安全的域上使用 cookie
Allow cookie on unsecure domain
我在 https://localhost:5001 上有我的项目 运行,我想从 http://localhost:3000 上的站点 运行 访问它。
http://localhost:3000 上的站点可以发出成功的身份验证请求,但未在 JsonServiceClient 中设置身份验证 cookie。
运行 在 https 上正确设置了 cookie。
这些是 headers:
General
Request URL: https://localhost:5001/json/reply/Authenticate
Request Method: POST
Status Code: 200
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin
Response
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-type: application/json; charset=utf-8
date: Wed, 10 Nov 2021 04:03:44 GMT
server: Kestrel
set-cookie: ss-id=yjHzB7bEOgfKvSOy1hEL; path=/; secure; samesite=lax; httponly
set-cookie: ss-pid=8bGyiksCKX2TFcpvHOnE; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-opt=temp; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: X-UAId=1; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
vary: Accept
x-powered-by: ServiceStack/5.120 NetCore/Windows
request
:authority: localhost:5001
:method: POST
:path: /json/reply/Authenticate
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en,en-GB;q=0.9
cache-control: no-cache
content-length: 52
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
我正在尝试找到允许 non-secure 域上的 cookie 的正确设置。会话已通过 Auth 插件添加到项目中。
我试过了:
SetConfig(new HostConfig
{
AddRedirectParamsToQueryString = true,
DebugMode = AppSettings.Get(nameof(HostConfig.DebugMode), HostingEnvironment.IsDevelopment()),
UseHttpOnlyCookies = false,
UseSecureCookies = false,
});
但它仍然没有为后续请求保存 cookie。
我需要设置什么才能在 http 上允许 cookie?
编辑:
科尔斯:
appHost.Plugins.Add(new CorsFeature(
allowOriginWhitelist: new[]
{
"https://localhost:5001",
"http://localhost:3000",
"https://localhost:3000"
},
allowCredentials: true,
allowedHeaders: "Content-Type, Allow, Authorization, X-Args"));
}
我正在像这样创建打字稿客户端:
let client = new JsonServiceClient(environment.apiUrl);
let req = new Authenticate();
req.userName = email;
req.password = password;
req.rememberMe =rememberMe;
let resp = await client.post(req);
后续请求失败:
equest URL: https://localhost:5001/json/reply/NextInputRequest
Request Method: GET
Status Code: 401
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-length: 0
date: Wed, 10 Nov 2021 06:23:58 GMT
server: Kestrel
set-cookie: ss-pid=bS8yNkiGoDuJpkTicMry; expires=Sun, 10 Nov 2041 06:23:59 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-id=1c38cciEgpnwTEg5DDaf; path=/; secure; samesite=lax; httponly
vary: Accept
www-authenticate: credentials realm="/auth/credentials"
x-powered-by: ServiceStack/5.120 NetCore/Windows
:authority: localhost:5001
:method: GET
:path: /json/reply/NextInputRequest
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en
cache-control: no-cache
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
如果此 CORS 请求不是来自使用 @servicestack/client JsonServiceClient which is configured to send cookies by default, it needs to be configured to include the credentials,例如:
fetch('https://example.com', {
credentials: 'include'
});
如果您认为所有配置都正确,请检查它是否不是 Chrome localhost Cookies bug 的结果。
否则,需要大量相关信息来帮助确定缺失的问题:
- 配置Cors Feature。
- 显示用于发出 CORS 请求的客户端代码
- 失败的 HTTP Request/Response headers 未能包含 cookie
- 浏览器开发控制台错误的屏幕截图,例如网络检查员
我在 https://localhost:5001 上有我的项目 运行,我想从 http://localhost:3000 上的站点 运行 访问它。
http://localhost:3000 上的站点可以发出成功的身份验证请求,但未在 JsonServiceClient 中设置身份验证 cookie。
运行 在 https 上正确设置了 cookie。
这些是 headers:
General
Request URL: https://localhost:5001/json/reply/Authenticate
Request Method: POST
Status Code: 200
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin
Response
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-type: application/json; charset=utf-8
date: Wed, 10 Nov 2021 04:03:44 GMT
server: Kestrel
set-cookie: ss-id=yjHzB7bEOgfKvSOy1hEL; path=/; secure; samesite=lax; httponly
set-cookie: ss-pid=8bGyiksCKX2TFcpvHOnE; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-opt=temp; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: X-UAId=1; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
vary: Accept
x-powered-by: ServiceStack/5.120 NetCore/Windows
request
:authority: localhost:5001
:method: POST
:path: /json/reply/Authenticate
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en,en-GB;q=0.9
cache-control: no-cache
content-length: 52
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
我正在尝试找到允许 non-secure 域上的 cookie 的正确设置。会话已通过 Auth 插件添加到项目中。
我试过了:
SetConfig(new HostConfig
{
AddRedirectParamsToQueryString = true,
DebugMode = AppSettings.Get(nameof(HostConfig.DebugMode), HostingEnvironment.IsDevelopment()),
UseHttpOnlyCookies = false,
UseSecureCookies = false,
});
但它仍然没有为后续请求保存 cookie。
我需要设置什么才能在 http 上允许 cookie?
编辑:
科尔斯:
appHost.Plugins.Add(new CorsFeature(
allowOriginWhitelist: new[]
{
"https://localhost:5001",
"http://localhost:3000",
"https://localhost:3000"
},
allowCredentials: true,
allowedHeaders: "Content-Type, Allow, Authorization, X-Args"));
}
我正在像这样创建打字稿客户端:
let client = new JsonServiceClient(environment.apiUrl);
let req = new Authenticate();
req.userName = email;
req.password = password;
req.rememberMe =rememberMe;
let resp = await client.post(req);
后续请求失败:
equest URL: https://localhost:5001/json/reply/NextInputRequest
Request Method: GET
Status Code: 401
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-length: 0
date: Wed, 10 Nov 2021 06:23:58 GMT
server: Kestrel
set-cookie: ss-pid=bS8yNkiGoDuJpkTicMry; expires=Sun, 10 Nov 2041 06:23:59 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-id=1c38cciEgpnwTEg5DDaf; path=/; secure; samesite=lax; httponly
vary: Accept
www-authenticate: credentials realm="/auth/credentials"
x-powered-by: ServiceStack/5.120 NetCore/Windows
:authority: localhost:5001
:method: GET
:path: /json/reply/NextInputRequest
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en
cache-control: no-cache
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
如果此 CORS 请求不是来自使用 @servicestack/client JsonServiceClient which is configured to send cookies by default, it needs to be configured to include the credentials,例如:
fetch('https://example.com', {
credentials: 'include'
});
如果您认为所有配置都正确,请检查它是否不是 Chrome localhost Cookies bug 的结果。
否则,需要大量相关信息来帮助确定缺失的问题:
- 配置Cors Feature。
- 显示用于发出 CORS 请求的客户端代码
- 失败的 HTTP Request/Response headers 未能包含 cookie
- 浏览器开发控制台错误的屏幕截图,例如网络检查员