我无法在Node.js(Express)中将Cookie的SameSite属性设置为“无" [英] I can't set the SameSite attribute of the cookie to None in Nodejs (Express)
问题描述
我们正在为Nodejs(Express)中的Twitter视图应用程序创建一个后端.
We are creating a backend for a Twitter view app in Nodejs (Express).
我正在考虑使用Twitter Api进行登录,并将身份验证后返回的令牌存储到会话中,然后在再次访问cookie时从cookie还原会话.
I'm thinking of using Twitter Api for login and storing the token returned after authentication to the session and then restoring the session from the cookie when it is accessed again.
但是,当再次访问cookie时,该cookie被阻止,我无法恢复会话信息.
However, the cookie is blocked when it is accessed again and I can't restore the session information.
我使用的浏览器是chrome,但是由于chrome版本为80,因此未指定SameSite属性时,SameSite属性似乎为Lax(从同一域的站点调用时发送cookie).和后端是不同的域,因此cookie被阻止.
The browser I use is chrome, but since chrome version 80, SameSite attribute seems to be Lax (sends a cookie when called from the site of the same domain) when the SameSite attribute is not specified, and in this case, front and back end are different domains, so cookies are blocked.
因此,我试图将SameSite属性设置为None(在任何站点调用时都会发送cookie),但是我似乎无法很好地设置它并询问此问题.
So I am trying to set the SameSite attribute to None (sends a cookie when called by any site), but I can't seem to set it well and asked this question.
我想知道是否可以在app.use(session({}))部分有所作为的情况下将SameSite属性设置为None,但是...
I'm wondering if I can set the SameSite attribute to None if I make a difference in the part of app.use(session({})), but...
如果有人知道解决方案,我将不胜感激.
If anyone knows of a solution, I would appreciate your help.
谢谢您的帮助.
callback_url = env.URL + "oauth/callback";
app.use(
cookieSession({
name: "session",
keys: ["thisappisawesome"],
maxAge: 24 * 60 * 60 * 100
})
);
app.use(cookieParser());
// Save to session
passport.serializeUser(function(user, done) {
done(null, user.id);
});
// Restore from Session
passport.deserializeUser(function(user, done) {
done(null, user);
});
passport.use(
new TwitterStrategy({
consumerKey: env.TWITTER_CONSUMER_KEY,
consumerSecret: env.TWITTER_CONSUMER_SECRET,
callbackURL: callback_url
},
async (token, tokenSecret, profile, done) => {
return done(null, profile);
}
));
app.use(session({
allowedHeaders: ['sessionId', 'Content-Type'],
exposedHeaders: ['sessionId'],
secret: 'reply-analyzer',
resave: false,
saveUninitialized: false
}));
var cors_set = {
origin: env.CORS_ORIGIN_URL,
methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
credentials: true // allow session cookie from browser to pass through
};
app.use(passport.initialize());
app.use(passport.session());
app.use(cors(cors_set));
我尝试过的.
1.我尝试在app.use(session({}))部分中设置cookie选项,但是无法将SameSite属性设置为None.
What I've tried.
1.I tried setting the cookie options in the app.use(session({})) part, but it was not possible to set the SameSite attribute to None.
app.use(session({
allowedHeaders: ['sessionId', 'Content-Type'],
exposedHeaders: ['sessionId'],
secret: 'reply-analyzer',
resave: false,
saveUninitialized: false,
cookie : {
secure: true,
sameSite: 'None'
}
}));
2.我尝试使用以下中间件( express-samesite-default ),但SameSite属性可以设置为无",而不是".
2.I tried using the following middleware (express-samesite-default), but the SameSite attribute can be set to None, and the It wasn't.
var sameSiteCookieMiddleware = require("express-samesite-default");
app.use(sameSiteCookieMiddleware.sameSiteCookieMiddleware());
其他信息
Node.js v12.18.2铬v84.0.4147.135
Additional information
Node.js v12.18.2 chrome v84.0.4147.135
推荐答案
我能够自我解决,并将描述如何解决问题.在代码中有两个会话和一个cookie会话,但是我决定使用cookie会话,因为它似乎可以正常工作.最终结果如下
I was able to self-resolve and will describe how I was able to solve the problem. In the code there are two sessions and a cookie session, but I decided to use the cookie session as it seems to work fine. The end result is the following
var cookieSession = require("cookie-session");
app.set('trust proxy', 1)
app.use(
cookieSession({
name: "__session",
keys: ["key1"],
maxAge: 24 * 60 * 60 * 100,
secure: true,
httpOnly: true,
sameSite: 'none'
})
);
这篇关于我无法在Node.js(Express)中将Cookie的SameSite属性设置为“无"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
