标题中存在的set-cookie,但不在浏览器中设置
我们目前正在与客户/API Cookie生成的错误相抵触。我们使用的是Angular 12和Nginx,用于在cms.domain.co.uk子域上运行的前端服务器;后端在api.domain.co.uk:3067的子域中使用pm2运行node.js。
我们的后端nodejs文件具有以下CORS选项段:
const app = express();
app.use(express.json());
app.use(cookieParser());
app.use(cors({
origin: 'https://cms.domain.cloud',
credentials: true,
methods: 'GET, POST, OPTIONS',
allowedHeaders: 'Origin, Content-Type, X-Auth-Token, Set-Cookie, Authorisation, Accept'
}));
我们将cookie设置在node.js文件中:
response.cookie('LoginCookie', sid, {httpOnly: true, secure: true, SameSite: "none"});
我们尝试了原始,标签和策略的所有可行组合,现在正式陷入困境。请原谅我们的天真,因为我们来自非杂交起源背景。
服务器的响应式标头包含set-cookie标签,但是cookie尚未在浏览器中设置,允许凭证控件在帖子和选项中均设置为true,以及具有始终设置以避免CORS错误。
这是发送的前飞行选项标头:
这是带有SET的帖子标头-cookie tag:
通过使用使用Chrome.exe -exe -user启动另一个Chrome窗口-data-dir =“ c:/chrome dev Session” - 可访问 - 浏览器,浏览器在一个部分中确认cookie的存在,但不在另一部分中:
谢谢!
We are currently up against an error with our client/api cookie generation. We are using Angular 12 and NGINX for a frontend server running with SSL on a subdomain of cms.domain.co.uk; the backend is running node.js with pm2 on a subdomain of api.domain.co.uk:3067 with SSL.
Our Backend nodejs file has the following CORS options snippet:
const app = express();
app.use(express.json());
app.use(cookieParser());
app.use(cors({
origin: 'https://cms.domain.cloud',
credentials: true,
methods: 'GET, POST, OPTIONS',
allowedHeaders: 'Origin, Content-Type, X-Auth-Token, Set-Cookie, Authorisation, Accept'
}));
We are setting the cookie in the node.js file as follows:
response.cookie('LoginCookie', sid, {httpOnly: true, secure: true, SameSite: "none"});
We have tried every feasible combination of origins, tags, and policies and we are now officially stumped. Excuse our naivety in CORS as we have come from non-cross origin background.
The responsive header from the server contains the set-cookie tag but the cookie isn't being set in the browser, allow credential controls is set to true in both the POST and OPTIONS as well as having the origin set to avoid CORS errors.
This is the pre-flight OPTIONS header sent:
This is the POST header sent with the Set-Cookie tag:
By starting another window of chrome with the using chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security, the browser acknowledge the existence of the cookie in one section but not in the other:
Any feedback or help would be greatly appreciated! Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您在前端使用AXIO来调用API,请添加
withCredentials:true,然后它将起作用。例子:
If you are using Axios on the frontend for calling an API, add
withCredentials: trueand then it will work.Example:
另一种选择是检索“ logincookie”键set-cookie标头的deal值,然后通过
document.cookie.setitem('logincookie',< data>)将其存储到浏览器中。An alternative is to retrieve de value of the 'LoginCookie' key Set-Cookie header, and store it to browser by
document.cookie.setItem( 'LoginCookie', <data>)