您能否在 Ajax (XHR) 调用的服务器端处理过程中可靠地设置或删除 cookie?

发布于 2024-07-04 11:25:38 字数 383 浏览 9 评论 0原文

我自己对此做了一些测试(确切地说是在 DWR 框架 Ajax 请求处理程序的服务器端处理期间),看来您可以成功地操作 cookie,但这与我在 Ajax 最佳实践中阅读的很多内容相悖浏览器如何解释来自 XmlHttpRequest 的响应。 注意我已经测试过:

  • IE 6 和 7
  • Firefox 2 和 3
  • Safari

以及在所有情况下,浏览器在 Ajax 请求处理期间正确解释了 HttpServletResponse 对象上的标准 cookie 操作,但我想知道是否最好的做法是推送客户端的 cookie 操作,或者这个(更干净的)服务器端 cookie 处理是否可信。

我欢迎针对 DWR 框架和一般 Ajax 的回答。

I have done a bit of testing on this myself (During the server side processing of a DWR Framework Ajax request handler to be exact) and it seems you CAN successfully manipulate cookies, but this goes against much that I have read on Ajax best practices and how browsers interpret the response from an XmlHttpRequest. Note I have tested on:

  • IE 6 and 7
  • Firefox 2 and 3
  • Safari

and in all cases standard cookie operations on the HttpServletResponse object during Ajax request handling were correctly interpreted by the browser, but I would like to know if it best practice to push the cookie manipulation to the client side, or if this (much cleaner) server side cookie handling can be trusted.

I would welcome answers both specific to the DWR Framework and Ajax in general.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

蝶…霜飞 2024-07-11 11:25:38

在客户端操作 cookie 与“最佳实践”相反。 而且这也不应该是必要的。 HttpOnly cookie 的引入并非无缘无故。

Manipulating cookies on the client side is rather the opposite of "best practice". And it shouldn't be necessary, either. HttpOnly cookies weren't introduced for nothing.

别把无礼当个性 2024-07-11 11:25:38

XMLHttpRequest 始终使用Web 浏览器的连接框架。 这是 AJAX 程序正常工作的要求,因为如果 XHR 对象无法访问浏览器的 cookie 池,用户将被注销。

理论上,Web 浏览器可以在不使用浏览器连接框架的情况下简单地共享会话 cookie,但据我所知,这在实践中从未发生过。 甚至 Flash 插件也使用 Web 浏览器的连接。

因此,最终结果是通过 AJAX 操作 cookie 是安全的。 只需记住,AJAX 调用可能永远不会发生。 它们不是保证会发生的事件,所以不要指望它们。

XMLHttpRequest always uses the Web Browser's connection framework. This is a requirement for AJAX programs to work correctly as the user would get logged out if the XHR object lacked access to the browser's cookie pool.

It's theoretically possible for a web browser to simply share session cookies without using the browser's connection framework, but this has never (to my knowledge) happened in practice. Even the Flash plugin uses the Web Browser's connections.

Thus the end result is that it IS safe to manipulate cookies via AJAX. Just keep in mind that the AJAX call might never happen. They are not guaranteed events, so don't count on them.

流年里的时光 2024-07-11 11:25:38

在 DWR 的背景下,它可能并不“安全”。

通过阅读 DWR 站点,它说:

将 HTTP 请求和响应视为只读非常重要。 虽然 HTTP 标头可能会正常通过,但某些浏览器很可能会忽略它们。

我认为这意味着设置 cookie 或请求属性是禁忌。
话虽如此,我有确实设置请求属性的代码(我在阅读该页面之前编写的代码)并且它似乎工作正常(除了删除我在上面的评论中提到的cookie)。

In the context of DWR it may not be "safe".

From reading the DWR site it says:

It is important that you treat the HTTP request and response as read-only. While HTTP headers might get through OK, there is a good chance that some browsers will ignore them.

I've taken this to mean that setting cookies or request attributes is a no-no.
Saying that, I have code which does set request attributes (code I wrote before I read that page) and it appears to work fine (apart from deleting cookies which I mentioned in my comment above).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文