远程API中的Set-Cookie无法正常工作
我目前在需要使用httpOnly cookie的项目中。该项目需要直接调用API。
I'm currently on project that needs to use an httpOnly cookie. The project requires a direct call to the API.
假设它是 xxx.com/vx/auth/login 验证用户登录尝试的身份。该端点将给客户端响应并设置cookie。是这样的:
Let's say it's xxx.com/vx/auth/login that authenticates user login attempt. That endpoint will give response and also set-cookie to the client. Something like this:
的Set-Cookie:标记= eyJ0b2tlbiI6ImV5SmhiR2NpT2lKSVV6STFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUoxYVdRaU9pSXhNREEwT0RJd05DSXNJbDlwWkNaNkluWXhYM1Z6WlhKekx6RXdNRFE0TWpBMElpd2libUZ0WlNJNklrRm5kVzVuSUZOMWNubGhJRUpoYm1kellTSXNJbVZ0WVdsc0lqb2ljR0ZwYm1GdVpHVnpkR2x1WldSQWVXRm9iMjh1WTI5ddlpd2liR1YyWld3aU9qQXNJbWxoZENJNk1UUTNOek0zTVRnMk55d2laWGh3SWpveE5EYzNOVFEwTmpZc2ZRLmtUN0IzNW9YYjQ2RmU3WWFLYkd4MXhoYkdGUWJ1TFg1U053N3FWSjNfa2siffQ ==; expires =星期四,2016年10月27日,格林尼治标准时间;路径= /; HttpOnly
但是当我查看 devtools 时,cookie没有设置。即使我刷新了几次。
But when I look at the devtools, the cookie is not set. Even after I refresh several times.
我在这里想念什么?我需要创建一个代理来处理吗? *我曾经使用代理,并且效果很好
What do I miss here? Do I need to create a proxy to handle this? * I used to use proxy and it works well
我终于设法与后端工程师合作,解决了这个问题:
I finally managed to solve this problem by coordinating with the backend engineer guy:
- 从Access-Control-Allow-Origin删除通配符,而改用特定的域来源。如果不是,则
- 设置
Access-Control-Allow-Credentials:true
- Remove wildcard from Access-Control-Allow-Origin and use specific domain origin instead. If not,
- Set
Access-Control-Allow-Credentials: true
在请求中,我将 withCredentials 设置为 true 。
And in the request, I set withCredentials to true.
注意:如果将 withCredentials 设置为 true ,则必须还将 Access-Control-Allow-Credentials 设置为 true 。另外,如果您仍在 Access-Control-Allow-Origin 中使用通配符,则此方法将无效。
NOTE: If you set withCredentials to true, you have to set Access-Control-Allow-Credentials to true also. Plus, this won't work if you still use wildcard in your Access-Control-Allow-Origin.