JETTY- HTTPONLY COOKIE未能保存在嵌入式Jetty 11中的浏览器中
在我的Web应用程序中,我正在设置响应cookie:
Cookie testCookie = new Cookie("test", "mycookie");
testCookie.setHttpOnly(true);
testCookie.setPath("/");
testCookie.setMaxAge(3600);
testCookie.setSecure(true);
response.addCookie(testCookie); // Response is of type HttpServletResponse
执行请求的客户端正在Localhost运行。
当我查看Chrome中的请求时,我会看到cookie选项卡并查看cookie已收到,但是当我在应用程序中查看charme时,我找不到这个cookie。 ,不要发送饼干。
另外,在Jetty 11中,我似乎无法设置cookie的samesite属性。
我该如何设置此cookie,在Chrome的“应用程序”选项卡中不可见httponly cookie是否正常?如何验证是否设置?
编辑: 其他细节 我在https:// localhost中运行客户端,服务器正在使用带有自签名证书的https。 我正在收到的饼干似乎是从响应中获得的,但是铬似乎并不能保存它。
In my web app i am setting response cookies this way:
Cookie testCookie = new Cookie("test", "mycookie");
testCookie.setHttpOnly(true);
testCookie.setPath("/");
testCookie.setMaxAge(3600);
testCookie.setSecure(true);
response.addCookie(testCookie); // Response is of type HttpServletResponse
The client that is performing the requests is running in localhost.
When i look at the request in chrome, i see that cookie tab and see that the cookie was received but I cannot find this cookie in chrome when i look in the Application->Cookies tab and the other requests i do after this was done, do not send cookies.
Also, in jetty 11 i cannot seem to be able to set the SameSite attribute of the cookie.
How can i set this cookie and is it normal that an httpOnly cookie is not visible in the Application tab in chrome? How can i verify if it was set or not?
EDIT:
Additional details
I am running the client in https://localhost and the server is using https with a self signed certificate.
The cookie i am receiving seems corect from the response but then chrome does not seem to save it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我们的经验是,Chrome将拒绝/删除任何
set-cookie,而没有samesitevalue设置。码头11 ...
jakarta.servlet.http.cookie中的行为servletContext属性org.eclipse.jetty.cookie.samesititedefaultefault包含samesitecookie属性的默认值。 (使用ValueNONE,严格或LAX)。如果此属性未设置,则您的cookie没有提供samesite值。samesite,httponly用码头中的cookie注释来控制特定的cookiesamesite行为。示例:
在评估浏览器中的这些更改时,请确认
set-cookie响应标头首先是您想要的,然后查看“应用程序”选项卡。请注意,Chrome对于IP地址,单标签域和保留的主机名(例如“ test”或“ localhost”等保留的域名具有大量的特殊规则请求等。在您进行测试时避免使用任何这些,请在可能的情况下使用完全合格的主机名,否则您会对这些规则感到惊讶。
Our experience is that Chrome will reject/drop any
Set-Cookiewithout aSameSitevalue set.The behavior in Jetty 11 ...
jakarta.servlet.http.Cookiehas no setters/getters for "SameSite" (that's a feature of the next Servlet API release).ServletContextattributeorg.eclipse.jetty.cookie.sameSiteDefaultcontains the default value for theSameSitecookie attribute. (use one of valueNone,Strict, orLax). If this attribute is unset there is noSameSitevalue provided with your cookies.SameSite, andHttpOnlywith cookie comments in Jetty to control specific CookieSameSitebehavior.Example:
When evaluating these changes in your browser, confirm that the
Set-Cookieresponse header is what you want first, then look at the application tab.Note that Chrome has tons of special rules for domain names that are IP addresses, single label domains, and reserved hostnames such as "test" or "localhost", etc. These do not work normally for TLS/SSL, SameSite, CORs, Preflight requests, etc. Avoid using any of these while you are testing, use a fully qualified hostname when you can, otherwise you'll be surprised by these rules.