安全的httponly cookie未设置
我似乎无法用安全标志设置cookie。它在我所有其他项目上都没有工作,但没有针对这个项目。 我检查了许多其他指南,但对于此特定设置似乎没有任何作用。
请注意,我同时使用GraphQL和REST端点,并且设置Cookie对其中的任何一个都不起作用。
- 域托管在https
- frontend上托管在某种程度上。example.comapi在某种程度上。Example.com
- /graphql和 /auth
Server index.tsx
const app = express();
if (process.env.NODE_ENV === 'production') {
app.set('trust proxy', 1);
}
app.use(
session({
name: 'uId',
store: new RedisStore({ client: redisClient, disableTouch: true }),
saveUninitialized: false,
secret: process.env.SESSION_SECRET as string,
resave: false,
proxy: process.env.NODE_ENV === 'production',
cookie: {
maxAge: 1000 * 60 * 60 * 24 * 90, //3 months
secure: process.env.NODE_ENV === 'production',
httpOnly: process.env.NODE_ENV === 'production',
sameSite: 'lax', //same with "none"
},
}),
);
const server = new ApolloServer({
schema,
introspection: false,
context: ({ req, res }: { req: Request; res: Response }) => ({
req,
res,
}),
});
await server.start();
app.use(express.json({ limit: '50mb' }));
app.use(express.urlencoded({ limit: '50mb', extended: true }));
server.applyMiddleware({
app,
cors: {
credentials: true,
origin: [
process.env.ORIGIN as string,
'http://localhost:4000/',
'https://studio.apollographql.com',
],
},
bodyParserConfig: false,
});
//needed for REST?
app.use(cors({ origin: process.env.ORIGIN as string, credentials: true }));
app.use(cookies());
//Rest API
app.use('/auth', require('./src/auth/aai').router);
nginx(适用于API,REST API,但使用不同的端口)
proxy_pass http://localhost:3000; #whatever port your app runs on
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
Apollo设置
export const apolloClient = new ApolloClient({
uri: process.env.REACT_APP_API_ENDPOINT_GRAPHQL,
cache: new InMemoryCache(),
credentials: "include",
});
它非常适合它的功能。 Localhost和HTTPS域上的不安全饼干 我想念什么?
I can't seem to set cookies with secure flag. It worked on all my other projects but not with this one.
I checked many other guides but nothing seems to be working for this specific setup.
Note that I am using both graphql and rest endpoints, and setting cookies does not work on either of them.
- Domain is hosted over https
- Frontend is on something.example.com
- API is on something.example.com/graphql and /auth
Server index.tsx
const app = express();
if (process.env.NODE_ENV === 'production') {
app.set('trust proxy', 1);
}
app.use(
session({
name: 'uId',
store: new RedisStore({ client: redisClient, disableTouch: true }),
saveUninitialized: false,
secret: process.env.SESSION_SECRET as string,
resave: false,
proxy: process.env.NODE_ENV === 'production',
cookie: {
maxAge: 1000 * 60 * 60 * 24 * 90, //3 months
secure: process.env.NODE_ENV === 'production',
httpOnly: process.env.NODE_ENV === 'production',
sameSite: 'lax', //same with "none"
},
}),
);
const server = new ApolloServer({
schema,
introspection: false,
context: ({ req, res }: { req: Request; res: Response }) => ({
req,
res,
}),
});
await server.start();
app.use(express.json({ limit: '50mb' }));
app.use(express.urlencoded({ limit: '50mb', extended: true }));
server.applyMiddleware({
app,
cors: {
credentials: true,
origin: [
process.env.ORIGIN as string,
'http://localhost:4000/',
'https://studio.apollographql.com',
],
},
bodyParserConfig: false,
});
//needed for REST?
app.use(cors({ origin: process.env.ORIGIN as string, credentials: true }));
app.use(cookies());
//Rest API
app.use('/auth', require('./src/auth/aai').router);
Nginx (same for api, rest api but with different port)
proxy_pass http://localhost:3000; #whatever port your app runs on
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
Apollo setup
export const apolloClient = new ApolloClient({
uri: process.env.REACT_APP_API_ENDPOINT_GRAPHQL,
cache: new InMemoryCache(),
credentials: "include",
});
It works perfectly fine with unsecure cookies on both localhost and https domain
What am I missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论