在不安全的域上允许 cookie

【问题标题】:Allow cookie on unsecure domain在不安全的域上允许 cookie
【发布时间】:2021-12-22 18:17:19
【问题描述】:

我的项目在 https://localhost:5001 上运行,我想从运行在 http://localhost:3000 上的站点访问它。

http://localhost:3000 上的站点可以发出成功的身份验证请求,但在 JsonServiceClient 中没有设置身份验证 cookie。

在 https 上运行,cookie 设置正确。

这些是标题:

General
Request URL: https://localhost:5001/json/reply/Authenticate
Request Method: POST
Status Code: 200 
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin

Response
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-type: application/json; charset=utf-8
date: Wed, 10 Nov 2021 04:03:44 GMT
server: Kestrel
set-cookie: ss-id=yjHzB7bEOgfKvSOy1hEL; path=/; secure; samesite=lax; httponly
set-cookie: ss-pid=8bGyiksCKX2TFcpvHOnE; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-opt=temp; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
set-cookie: X-UAId=1; expires=Sun, 10 Nov 2041 04:03:44 GMT; path=/; secure; samesite=lax; httponly
vary: Accept
x-powered-by: ServiceStack/5.120 NetCore/Windows

request
:authority: localhost:5001
:method: POST
:path: /json/reply/Authenticate
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en,en-GB;q=0.9
cache-control: no-cache
content-length: 52
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

我正在尝试找到正确的设置以允许在非安全域上使用 cookie。 Auth 插件已将会话添加到项目中。

我试过了:

SetConfig(new HostConfig
{
    AddRedirectParamsToQueryString = true,
    DebugMode = AppSettings.Get(nameof(HostConfig.DebugMode), HostingEnvironment.IsDevelopment()),
    UseHttpOnlyCookies = false,
    UseSecureCookies = false,
});

但它仍然没有为后续请求保存 cookie。

我需要设置什么来允许 http 上的 cookie?

编辑:

科斯:

appHost.Plugins.Add(new CorsFeature(
                allowOriginWhitelist: new[]
                { 
                    "https://localhost:5001",
                    "http://localhost:3000",
                    "https://localhost:3000"
                },
                allowCredentials: true,
                allowedHeaders: "Content-Type, Allow, Authorization, X-Args"));
        }

我正在像这样创建打字稿客户端:

    let client = new JsonServiceClient(environment.apiUrl);
    let req = new Authenticate();
    req.userName = email;
    req.password = password;
    req.rememberMe =rememberMe;

    let resp = await client.post(req);

后续请求失败:

equest URL: https://localhost:5001/json/reply/NextInputRequest
Request Method: GET
Status Code: 401 
Remote Address: [::1]:5001
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Allow, Authorization, X-Args
access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
access-control-allow-origin: http://localhost:3000
content-length: 0
date: Wed, 10 Nov 2021 06:23:58 GMT
server: Kestrel
set-cookie: ss-pid=bS8yNkiGoDuJpkTicMry; expires=Sun, 10 Nov 2041 06:23:59 GMT; path=/; secure; samesite=lax; httponly
set-cookie: ss-id=1c38cciEgpnwTEg5DDaf; path=/; secure; samesite=lax; httponly
vary: Accept
www-authenticate: credentials realm="/auth/credentials"
x-powered-by: ServiceStack/5.120 NetCore/Windows
:authority: localhost:5001
:method: GET
:path: /json/reply/NextInputRequest
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en
cache-control: no-cache
content-type: application/json
origin: http://localhost:3000
pragma: no-cache
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

【问题讨论】:

    标签: servicestack


    【解决方案1】:

    如果这个CORS请求不是来自默认配置为发送cookie的@servicestack/client JsonServiceClient,它需要是configured to include the credentials,例如:

    fetch('https://example.com', {
  credentials: 'include'
});

    如果您认为一切都已正确配置,请检查它是否不是 Chrome localhost Cookies bug 的结果。

    否则,需要大量相关信息来帮助识别缺失的问题:

    • Cors Feature 的配置。
    • 显示用于发出 CORS 请求的客户端代码
    • 失败的 HTTP 请求/响应标头未能包含 cookie
    • 浏览器开发控制台中的错误截图,例如网络检查员

    【讨论】:

    • 您好,mythz 感谢您的回复。我更新了问题。我在 chrome 中尝试了隐身模式,但行为相同。奇怪的是,如果我在 Firefox 中尝试,它不会让初始请求通过,直到我选择允许在 5001 上进行自签名证书的选项(它是调试中默认使用的 asp.net 开发根证书)。在我允许之后,一切正常,所以我认为这必须是一个特定于 chrome 的错误,它要么不喜欢缺少前端证书,要么正在检测 Visual Studio ssl 证书。感谢您的关注,似乎不是 SS 问题
    • @Guerrilla 无法从这里识别问题,Chrome 或 Firefox 的开发控制台中是否还有其他 CORS 错误?您能否尝试在http://localhost:5000 上托管以查看我们的自签名 SSL 证书问题。
    • 我设置了UseSameSiteCookies = false, UseSecureCookies = true,然后它就起作用了。我认为问题是 cookie 中的相同站点值,但这似乎使它起作用。
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2015-07-07
    • 1970-01-01
    • 2015-12-19
    • 2012-11-07
    • 2021-10-20
    • 2021-07-30
    • 2020-10-19
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode