HTTP Cookie和Ajax请求通过HTTPS [英] HTTP Cookies and Ajax requests over HTTPS
问题描述
我知道这已经问过各种形式,但我似乎无法绕开的问题。 我曾经同时使用jQuery和原生JS API使Ajax请求审判。
我的情况下(见附图):
- 在浏览器发出的HTTP请求
- 服务器响应,并设置永久性的Cookie
- 在浏览器发出的HTTP Ajax请求,cookie是有全权
- 在服务器响应不如预期,将更新的Cookie
- 在浏览器发出HTTPS Ajax请求,cookie是不存在了(?!)
- 服务器提供了默认的反应,因为没有曲奇(意外情况)
在有人开始对跨域请求的演讲让我说出一两件事情:
- 我知道,这是一个跨域请求(不同的协议),这就是为什么服务器设置
访问控制 - 允许 - 原产地的响应头(而且我在使用Chrome和Firefox,它们都支持 CORS ) - 我也知道是什么,不过,是HTTP cookie的应该是管理通过HTTPS(见<一href="http://stackoverflow.com/questions/2163828/reading-cookies-via-https-that-were-set-using-http">here)由于主机是相同
- (编辑)cookie被正确地为广大域设置(如.domain.ext),而本仅Http也没有安全标志设置
那么,为什么,为什么,为什么不浏览器使得HTTPS AJAX调用时传递上的cookie?有任何想法吗?我将失去我的心......
+ ----------- + HTTP请求+ ----------- +
|浏览器| + ----------------&GT; |服务器|
+ ----------- + + ----------- +
HTTP响应
&LT; ---------------- +
设置Cookie
阿贾克斯HTTP所需物品。
+ ----------------&GT;
饼干(OK)
HTTP响应
&LT; ---------------- +
设置Cookie(OK)
阿贾克斯HTTPS所需物品。
+ ----------------&GT;
没有饼干(!!!)
好了,找到了解决的cookie的问题。
请参阅 XHR规格中的jQuery文档和<一href="http://stackoverflow.com/questions/2870371/why-jquery-ajax-not-sending-session-cookie">StackOverflow.
该解决方案已饼干时,交换协议和/或子域是在 withCredentials 属性设置为发送真实。
例如。 (使用jQuery)
$。阿贾克斯({
/ *设置呼叫* /
xhrFields:{
withCredentials:真
}
});
I know this has been asked before in various forms, but I can't seem to get around the problem. I have tried using both jQuery and the native JS API to make the Ajax requests.
My situation is the following (see attached diagram):
- Browser makes HTTP request
- Server responds and sets persistent Cookie
- Browser makes HTTP Ajax request, Cookie is there all-right
- Server responds as expected, updates Cookie
- Browser makes HTTPS Ajax request, Cookie is not there anymore (?!)
- Server gives "default" response, since there is no Cookie (unintended behaviour)
Before anybody starts a lecture on cross-domain requests let me state a couple of things:
- I know that this is a cross-domain request (different protocol), and that's why the Server sets the
Access-Control-Allow-Originheader in the response (and I am using Chrome and Firefox, both of which support CORS) - What I also know, though, is that the HTTP cookie ought to be manageable over HTTPS (see here) since the host is the same
- (EDIT) The cookie is properly set for the general domain (e.g. .domain.ext) and neither the HttpOnly nor the Secure flags are set
So, why, why, why doesn't the browser pass on the cookie when making the HTTPS Ajax call? Any ideas? I am about to lose my mind...
+-----------+ HTTP Request +-----------+
|Browser |+---------------->|Server |
+-----------+ +-----------+
HTTP Response
<----------------+
Set-cookie
Ajax HTTP Req.
+---------------->
Cookie (OK)
HTTP Response
<----------------+
Set-cookie (OK)
Ajax HTTPS Req.
+---------------->
No Cookie (!!!)
Ok, found the solution to the cookie problem.
See XHR specs, jQuery docs and StackOverflow.
The solution to have the cookies sent when switching protocol and/or subdomain is to set the withCredentials property to true.
E.g. (using jQuery)
$.ajax( {
/* Setup the call */
xhrFields: {
withCredentials: true
}
});
这篇关于HTTP Cookie和Ajax请求通过HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
