快速会话安全Cookie无法正常工作 [英] Express-session Secure Cookies not working
问题描述
不使用安全cookie true设置时,我的应用程序用户登录正常.当我启用安全cookie时,登录似乎可以正常进行,但似乎cookie没有保存,用户也未登录.
When not using secure cookie true setting, my app user login works fine. When I enable secure cookies, the login appears to go through fine, but it seems the cookie is not saved and the user is not logged in.
换句话说,这可行:
app = express();
app.use(session({
secret: 'secret code',
store: sessionStore,
resave: false,
saveUninitialized: false,
cookie: {
secure: false,
maxAge: 5184000000 // 60 days
}
}));
这不起作用(用户无法登录):
This does not work (user isn't able to log in):
app = express();
app.set('trust proxy');
app.use(session({
secret: config.cookieSecret,
store: sessionStore,
resave: false,
saveUninitialized: false,
proxy: true,
secureProxy: true,
cookie: {
secure: true,
httpOnly: true,
maxAge: 5184000000 // 60 days
}
}));
cloudflare和nginx之后.这是在我的Nginx配置中:
Behind cloudflare and nginx. This is in my nginx config:
location ~ / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3000;
}
从我阅读的内容来看,我认为它应该起作用.我想念什么?
From what I read, I think it should work. What am I missing?
我正在使用有效的ssl证书运行https.
I am running https with a valid ssl cert.
推荐答案
我的猜测是,实际问题是这样的:
My guess is that the actual problem is this:
httpOnly: true
这意味着任何客户端代码都无法(通过document.cookie)访问cookie,并且您执行的任何XHR("AJAX")请求都需要显式设置
This means that any client-side code cannot access the cookie (through document.cookie), and any XHR ("AJAX") requests that you perform need to explicitly set withCredentials before any cookies will be sent in the request.
这取决于您使用的是哪种客户端设置:
It depends on which client-side setup you're using how to do that:
- plain XHR: look at the example code
- fetch: here
- jQuery: use the
xhrFieldsoption for$.ajax() - Angular 1: here
- Angular 2: here
这篇关于快速会话安全Cookie无法正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
