Safari未发送的播放会话Cookie [英] Play session cookie not sent by Safari
问题描述
我在域a.domain.com(http)上有一个单页应用程序(SPA),该应用程序连接到Play 2(scala)中构建的b.otherdomain.com(https)上的api.
I have a single page application (SPA) on a domain a.domain.com (http) that connect to an api on b.otherdomain.com (https) build in Play 2 (scala).
在加载SPA之后,用户输入凭据,然后应用程序对 https进行ajax调用://b.otherdomain.com.com/login .
After the loading of the SPA, the user enter is credentials and the app make an ajax call to https://b.otherdomain.com.com/login.
/login设置Play cookie,并且以下请求已通过身份验证. 一切都可以在Chrome和Firefox上运行(由于CORS限制,因此无法在IE上运行).
The /login set the Play cookie and the following request are well authenticated. Everything works on Chrome and Firefox (not IE because of CORS restrictions).
它应该可以在Safari上运行,但在/login调用之后,该cookie不会随以下请求一起发送回去,因此play返回"401未经授权"响应.
It should work on Safari but after the /login call, the cookie is not sent back with the following requests, so play returns "401 not authorized" responses.
这是服务器端的错误还是配置错误? 我必须更改application.session.httpOnly和application.session.secure吗?
Is this a bug or a misconfiguration on my server side ? Do I have to change application.session.httpOnly and application.session.secure ?
这是我从Safari检查器中看到的内容:
Here is what I see from the Safari inspector :
/login headers :
URL de la requête:https://b.otherdomain.com//login
Méthode de la requête:POST
Code d’état:200 OK
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */*
Content-Type:application/x-www-form-urlencoded
Origin:http://a.domain.com.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Données du formulaireafficher l’URL codée
email:foo@foo.com
password: foofoo
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:31
Content-Type:text/plain; charset=utf-8
Set-Cookie:PLAY_SESSION=a71f93e3315fa9164dd7112841ccdb4a0f0c447b- sessionId%3A6gtu7%21z.5i%218d%29v8yxy693n-s6zsuejpav_p67f9hb%7Ej%274h2de*jx3g35p%7Egzo0u;Path=/;HTTPOnly
Strict-Transport-Security:max-age=31536000
following request :
URL de la requête:https://b.otherdomain.com/users
Méthode de la requête:GET
Code d’état:401 Unauthorized
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */*
Origin:http://a.domain.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:24
Content-Type:text/plain; charset=utf-8
Strict-Transport-Security:max-age=31536000
推荐答案
我遇到了同样的问题.它在Chrome浏览器中运行良好,但在Safari中则完全没有.我的理解是,这是Safari与第三方Cookie .
I had the same problem. It worked well in Chrome, but not at all in Safari. My understanding is that this is a new limitation of Safari related to third party Cookies.
似乎没有(好的)解决方法.
It seems there are no (good) work around.
选项: -使用代理:服务器a上的设置和端点来调用服务器b. -为b创建一个c-name DNS条目,将其视为a
Options : - use a proxy : setup and endpoint on server a to call b server side. - make a c-Name DNS entry for b to be seen as a
您可能要尝试使用PayPal跨域套件: https://medium.com/@bluepnume/introducing-paypals-open-source-cross-domain-javascript-suite-95f991b2731d
You may want to try the PayPal cross domain suite : https://medium.com/@bluepnume/introducing-paypals-open-source-cross-domain-javascript-suite-95f991b2731d
这篇关于Safari未发送的播放会话Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!