AngularJS withCredentials不发送 [英] AngularJS withCredentials Not Sending

问题描述

在AngularJS中，我有一个子域中的Restful API，但我遇到了cookie /会话不是跨域共享的问题。对于Angular我这样做：

In AngularJS, I have my Restful API in a subdomain but I am having the problem where the cookie/session is not being shared across domains. For Angular I am doing this:

app.config(['$httpProvider',
function($httpProvider) {
    $httpProvider.defaults.useXDomain = true;
    $httpProvider.defaults.withCredentials = true;
    delete $httpProvider.defaults.headers.common['X-Requested-With'];
}]);

此外，当我使用$ http发出请求时，我正在做

Also when I am making a request with $http I am doing

var object = {};

object.url = '/example'
object.withCredentials = true;

$http(object).success(object.success).error(object.error);

在我的服务器端我有：

if($_SERVER['REQUEST_METHOD']=='OPTIONS') {
    if(isset($_SERVER['HTTP_X_FOWARDED_HOST']) && !empty($_SERVER['HTTP_X_FOWARDED_HOST'])) {
        $origin=$_SERVER['HTTP_X_FOWARDED_HOST'];
    } else {
        $origin=$_SERVER['HTTP_ORIGIN'];
    }
    if(isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && ($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='POST' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='DELETE' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']=='PUT')) {
        header('Access-Control-Allow-Origin: '.$origin);
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Allow-Headers:  *,X-Requested-With,Content-Type');
        //header('Access-Control-Allow-Headers: Content-Type');
        header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT');
        // http://stackoverflow.com/a/7605119/578667
        header('Access-Control-Max-Age: 86400');
    }

}

现在我看到服务器说它将允许凭证，但不会在选项请求中发送。下面的屏幕截图。

Now I see that the server is saying that it will allow credentials but its not being sent in the options request. Screenshot below.

推荐答案

默认情况下，在CORS飞行前OPTIONS请求中不发送凭证。 请参阅此处。另请参阅此 answer 。

By default credentials are NOT sent in a CORS pre-flight OPTIONS request. See here. See also this answer. The credentials will be sent on your actual request.

此外，使用XDomain和X-Request-With标头在当前版本的angular中实际上并未使用，因此这些行正在执行没有在你的$ httpProvider配置。所有CORS交互都由浏览器本身和您的服务器处理。

Also, useXDomain and X-Request-With headers are not actually used in current versions of angular, so those lines are doing nothing in your $httpProvider config. All CORS interaction is handled by the browser itself and your server.

一般来说，为了正确实现CORS，您的服务器不应该在预检请求上请求凭据。 （请注意，有些浏览器无论如何都会发送，但不应该发送。）这是因为OPTIONS请求被认为是安全的，不应包含任何机密信息。

In general to properly implement CORS your server should not require credentials on the preflight request. (Please note that some browsers send them anyway, but shouldn't.) This is because an OPTIONS request is considered "safe" and should never contain any confidential information.

这可能是您的问题是在您尝试在域之间共享的Cookie。您尝试在哪里发送哪些Cookie？

It may be your problem is in the cookies you're trying to share across domains. What cookies are you trying to send where?

这篇关于AngularJS withCredentials不发送的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！