浏览器不将cookie发送到同一域内的API
我已将API部署在两个单独的名称空间中,admin.abc.com(原始)和api.admin.abc.com(new)。完成登录后,admin.abc.com网站.admin.abc.com设置了JWT cookie。 cookie用于会话,安全和httponly,并且没有设置任何框架限制。此cookie适用于admin.abc.com的所有API调用。
由于一些新的更改需要单独部署的一些服务,因此现在还在命名空间api.admin.abc.com中部署了服务。我有一个状态页面,可以为我提供有关服务,内存等的信息,并且对原始名称空间的工作正常。但是,当我将状态调用添加到第二个命名空间时,没有传递cookie,呼叫失败了身份验证。但是,如果我在浏览器中的另一个选项卡中打开URL,则cookie将传递给后端,并且通话成功。
在检索JWT的价值后,我研究了在请求期间将自己的cookie设置在标题中。这是有两个原因的失败的:1)我不相信我可以访问JWT的值,因为cookie是httponly,而2)我无法在httpheader选项中设置cookie。如果尝试尝试,我会在控制台中获得“拒绝设置不安全标头”错误。如果我打开“使用授权:true”,它确实设置了它(但仍打印出错误),然后实际上遇到了CORS错误。
如果我使用EditthisCookie扩展程序手动在cookie上手动禁用HTTPonly标志,则可以成功使用呼叫。我真的不认为这是我公司安全的选择,但是从技术上讲,这是有效的。
我知道一些建议将JWT作为授权发送:我会这样做,但是由于cookie是httponly的,我无法检索该值并以编程方式设置它。此外,有时我想发送另一个网站cookie,我无法真正切换到一些自定义标题。
关于我能做什么的想法?不可能吗?我唯一的选择是,必须通过内置的旧名称空间内置的API来路由新名称空间的所有请求。
I have APIs deployed in 2 separate namespaces, admin.abc.com (original) and api.admin.abc.com (new). Upon completing login, a jwt cookie is set by the admin.abc.com site for .admin.abc.com. The cookie is for the Session, Secure and HttpOnly and it does not have any SameSite restrictions set. This cookie works well for all API calls to admin.abc.com.
Due to some new changes requiring some services to deployed separately, there are now services also deployed in the namespace api.admin.abc.com. I have a status page that gives me information about the services, memory, etc. and it works fine for the original namespace. But when I add in a status call to the second namespace, no cookies are passed along and the call fails authentication. However, if I open the URL in another tab in my browser, the cookies are passed to the backend and the call succeeds.
I've looked into setting my own cookies in the header during the request after retrieving the jwt's value. This fails for 2 reasons: 1) I don't believe I can access the jwt's value as the cookie is HttpOnly, and 2) I can't set a cookie in the HttpHeader options. I get a "Refused to Set Unsafe Header" error in the console if I try. If I turn on 'withAuthorization:true', it does set it (but still prints the error) and then actually gets a CORS error.
If I manually disable the HttpOnly flag on the cookie using EditThisCookie extension, the calls work successfully. I don't really think it's an option for me with my company's security, but it technically works.
I know some suggest sending the jwt as an Authorization: Bearer token, which I would do, but because the cookie is HttpOnly, I can't retrieve the value and programmatically set it. Additionally there is another site-wide cookie I'd like to send over at times that I can't really switch to some custom header.
Thoughts on what I can do? Is it not possible? My only other option is that all requests to the new namespace have to be routed through an API built in the old namespace.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论