请求JS时未发送cookie
问题最初发布在网站管理员上,建议将其移至此处。
我托管一个网络服务,并为我的会员提供一个 Javascript 书签,它从我的服务器加载 JS 脚本。但是,客户端必须登录才能接收 JS 脚本。这对几乎每个人都有效。然而,一些设置(即浏览器/操作系统)的用户已知可以为其他人工作有以下问题:当他们通过 javascript 书签从我的服务器请求脚本时,他们的 cookie 来自我的服务器不包含在请求中,因此它们始终“未经过身份验证”。
我通过以下方式发出请求:
var myScript = eltCreate('script');
myScript.setAttribute('src','http://myserver.com/script');
document.body.appendChild(myScript);
在困惑的绝望中,我更改了脚本页面以简单地输出“我的 cookie 有 [x] 元素”,其中 [x] 是 count($_COOKIE)http://myserver.example.com 上的代码>。如果该用户子集使用小书签中编码的上述方法请求脚本,则消息将显示“我的 cookie 有 0 个元素”。当他们直接在浏览器中访问 URL 时,消息显示“我的 cookie 有 7 个元素”。
到底发生了什么?更重要的是,我该如何解决这个问题?
Question originally posted on Webmasters, was recommended to move it here.
I host a webservice, and provide my members with a Javascript bookmarklet, which loads a JS sript from my server. However, clients must be logged in, in order to receive the JS script. This works for almost everybody. However, some users on setups (i.e. browser/OS) that are known to work for other people have the following problem: when they request the script via the javascript bookmarklet from my server, their cookie from my server does not get included with the request, and as such they are always "not authenticated".
I'm making the request in the following way:
var myScript = eltCreate('script');
myScript.setAttribute('src','http://myserver.com/script');
document.body.appendChild(myScript);
In a fit of confused desperation, I changed the script page to simply output "My cookie has [x] elements" where [x] is count($_COOKIE) on http://myserver.example.com. If this subset of users requests the script using the above method encoded in the bookmarklet, the message reads "My cookie has 0 elements". When they access the URL directly in their browser, the message reads "My cookie has 7 elements".
What on earth could be going on?! And more importantly, how would I fix this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我很确定这是一个隐私设置问题。受影响的浏览器可能增加了隐私设置,拒绝第三方脚本设置 cookie。
当我将指向域 B 的 IFRAME 放置在域 A 托管的网站上时,我也遇到过类似的问题。某些浏览器拒绝我的 IFRAME 为它自己的域设置 cookie,因为它触发了隐私问题。
您可能希望在脚本 src 属性中存储哈希并让它以这种方式对用户进行身份验证。
编辑:这就是我所说的:在 Safari 中设置跨域 cookie
I'm pretty sure this is a privacy setting issue. The affected browsers probably have increased their privacy settings refusing 3rd party scripts from setting cookies.
I've experience similar issues when placing an IFRAME pointing to domain B on a site hosted on domain A. Some browsers refused that my IFRAME set cookies for it's own domain because it triggered a privacy issue.
You might want to store a hash in the script src attribute and have it authenticate users that way.
Edit: This is sort of what I'm talking about: Setting cross-domain cookies in Safari