AngularJS和Laravel-跨域CORS/XHR请求缺少(记住)cookie [英] AngularJS and Laravel - crossdomain CORS / XHR requests lacking (remember_) cookies

问题描述

当我在chrome中不使用--disable-web-security选项时，我的CORS/XHR请求在请求标头中缺少Remember_xyz cookie.如果我启用了该选项，则header_xyz cookie将包含在请求标头中，并且一切正常.

My CORS / XHR requests lacking the remember_xyz cookie in the request headers when i don't use the --disable-web-security option in chrome. If i enable that option the remember_xyz cookie will be included in the request headers and everything is working fine.

作为解决方法，我目前正在通过基本身份验证标头发送身份验证凭证.但是我认为这不是预期的或正确的方法.

As workaround i'm currently sending the auth credentials via basic auth header. But i think that's not the intended or right way.

如何获取请求标头中包含的记住Cookie?

在chrome的网络控制台中，我可以看到以下内容:

In chrome's network console i can see the following:

(无 --chrome中的--disable-web-security选项)

(without --disable-web-security option in chrome)

记住的cookie由laravel在第一个响应标头中发送.但是不包含在下一个请求的标头中.为什么?

The remember cookie is sent by laravel in the first response headers. But is not included in the next request's headers by angular. Why?

在实际请求触发之前，每个请求都具有OPTIONS预检请求.预检请求是否可能以某种方式删除/破坏cookie?

Every request has that OPTIONS preflight request before the actual request fires. Is it possible that the preflight request removes/breaks the cookie somehow?

( with --chrome中的--disable-web-security选项)

(with --disable-web-security option in chrome)

记住的cookie由laravel在第一个响应标头中发送，并将按角度在下一个请求的标头中发送.一切都好.



是否应将响应头中的所说cookie包含在请求头中?是的时候，为什么我不必在Chrome中启用"--disable-web-security"选项来执行此操作?

The remember cookie is sent by laravel in the first response headers and will be sent in the next request's headers by angular. Everything is fine.


Edit 2:
Is it up to me to include the said cookie out of the response headers into the request headers? When yes, why i don't have to do this with "--disable-web-security" option enabled in chrome?

我做错了什么?

谢谢！

推荐答案

不确定我是否直接回答了您的问题，但我会采取行动.您确实需要在客户端和服务器上为CORS设置某些标头.

Not sure I'm answering your question directly, but I'll take a stab. You DO need to set certain headers on the client side AND server for CORS.

客户端需要知道发送Cookie标头，否则它将去除它们.对于jQuery，这意味着在ajax调用中设置withCredentials参数.在此处查看更多信息.这听起来像是您要解决的问题.

The client needs to know to send the Cookie headers, or it will strip them out. For jQuery, this means setting the withCredentials parameter in your ajax call. See more info here. This sounds like the issue you are grappling with.

在服务器端，您可能需要确保飞行前请求已设置.

On the server side, you may need to ensure pre-flight requests are setup.

例如，当我在Laravel 4中使用CORS时，我有一个过滤器可向每个响应中添加一些标头:

For instance, when I used CORS in Laravel 4, I had a filter to add some headers to each response:

App::after(function($request, $response)
{
    // Note that you cannot use wildcard domains when doing CORS with Authorization!
    $response->headers->set('Access-Control-Allow-Origin', 'http://dev.domain.local');
    $response->headers->set('Access-Control-Allow-Credentials', 'true');
    $response->headers->set('Access-Control-Allow-Headers', 'Authorization, X-Requested-With');
});

在控制器内，我还有一个OPTIONS请求对飞行前请求做出响应.一个例子是:

Within a controller, I also had an OPTIONS request respond for pre-flight requests. An example of that is:

public function optionsComplex()
{
    $response = Response::make(null, 200);
    $response->headers->set('Allow', 'GET, PUT, DELETE');
    $response->headers->set('Access-Control-Allow-Methods', 'GET, PUT, DELETE');
    return $response;
}

希望有帮助.

这篇关于AngularJS和Laravel-跨域CORS/XHR请求缺少(记住)cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！