CORS $就会话cookie(访问控制允许-凭证和放大器; withCredentials =真) [英] CORS $.ajax session cookies (access-control-allow-credentials & withCredentials=true)
问题描述
我意识到这个问题已经被问了十次以上,并给予每个响应指示我这样做是正确的,但也许我失去了一些东西。
AJAX提供了CORS请求像这样...
$。阿贾克斯({
网址:someotherdomain.com,
类型:'后',
数据:{键:值},
数据类型:JSON,
异步:假的,
跨域:真正的,
beforeSend:功能(XHR){
xhr.withCredentials = TRUE;
},
成功:函数(X,状态XHR){
},
错误:函数(XHR,状态,错误){
}
});
PHP提供了CORS请求,像这样......
头('访问控制,最大年龄:1728000');
标题(访问控制 - 允许 - 产地:http://someotherdomain.com');
标题(访问控制 - 允许 - 方法:POST);
标题(访问控制 - 允许 - 头:Content-MD5,X-ALT-Referer信息');
标题(访问控制 - 允许-凭据:真);
标题(内容类型:应用程序/ JSON;字符集= UTF-8);
据的所有文件,只要访问控制 - 允许 - 凭据服务器端头,和withCredentials =真正的'客户端头设置域之间的会话cookie处理应该是透明的。我失去了一些东西?
异步:假的
为preventing被送回对每个请求的服务器的会话cookie。下列固定它。
异步:真
虽然这允许会话cookie来获得由浏览器的设置使得跨起源请求共享打电话时,我现在就遇到下面的情况下问题:
服务器A发送响应客户端 客户端采用CORS使得B服务器的要求
XMLHtt prequest - > PHP - >会话处理程序 - > MySQL的 - >存储过程
由于在PHP会话管理的互斥锁的异步性,显然,需求可能会迫使工作手动设置cookie与不同的页眉选项,如XCookie或类似,以保持服务器会话的东西和客户端请求同步的左右
这个特殊的工作大约不跟我坐好,因为我相信这将开辟旅游的一个简单的车道会话劫持和会话重放攻击向量。
使用SSL / TLS封装的连接,可以帮助preventing出现上述情况,但在独立提供安全保障措施,为客户,我不相信这应该足够了条件。
任何人对这个有什么想法?
I realize this question has been asked a dozen or more times and each response given indicates I am doing it right but perhaps I am missing something.
AJAX serves up CORS request like so...
$.ajax({
url: 'someotherdomain.com',
type: 'post',
data: {key: 'value'},
dataType: 'json',
async: false,
crossDomain: true,
beforeSend: function(xhr){
xhr.withCredentials = true;
},
success: function(x, status, xhr){
},
error: function(xhr, status, error){
}
});
PHP serves up CORS requests like so...
header('Access-Control-Max-Age: 1728000');
header('Access-Control-Allow-Origin: http://someotherdomain.com');
header('Access-Control-Allow-Methods: POST');
header('Access-Control-Allow-Headers: Content-MD5, X-Alt-Referer');
header('Access-Control-Allow-Credentials: true');
header("Content-Type: application/json; charset=utf-8");
According to all documentation as long as the 'Access-Control-Allow-Credentials' server side header, and the 'withCredentials=true' client side header is set session cookie handling between the domains should be transparent. Am I missing something?
async: false
was preventing the session cookie from being sent back to the server on each request. The following fixed it.
async: true
Although this does allow for the session cookie to get set by the browser when making a cross origin request sharing call, I am now experiencing problems regarding the following scenario:
Server A sends response to client Client using CORS makes request of server B
XMLHttpRequest -> PHP -> Session handler -> MySQL -> Stored Procedure
Due to the MUTEX locks in the PHP session management the asynchronous nature and apparently, requirement may force a work around of manually setting the cookie with a different header option such as XCookie or something similar to keep the servers session and client requests synchronized.
This particular work around does not sit well with me as I believe it would open up an easy lane of travel for session hijacking and session replay attack vectors.
Using an SSL/TLS wrapped connection may assist in preventing the above scenario but in terms of independently providing security measures for the client I do not believe this should suffice.
Anyone with any thoughts on this?
这篇关于CORS $就会话cookie(访问控制允许-凭证和放大器; withCredentials =真)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!