具有会话/cookie的CORS请求 [英] CORS requests with session/cookie

问题描述

我的应用程序有一个PHP服务器和一个客户端(一个JS单页应用程序).它们是单独的项目，并且部署在不同的域中.客户端使用服务器公开的RESTful API.

My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed by the server.

此应用程序将与处理身份验证的第三方集成，因此用户无法直接登录.我们的服务器仅收到一个SSO令牌(已正确签名，以便我们验证其完整性).

This application is to be integrated with a third party which handles authentication, so users cannot login directly. Our server just receives an SSO token (which comes appropriately signed so that we verify its integrity).

我们还在所有请求的传输层强制实施安全性.

We also enforce security at the transport layer for all requests.

我想做的是，一旦验证了SSO令牌，就开始我自己的会话，然后将用户重定向到客户端.我以为一旦创建了会话，浏览器就会在异步API调用中自动发送正确的Cookie标头，但事实并非如此.

What I'd like to do is, once the SSO token is verified, start a session of my own and then redirect the user to the client. I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls, but it doesn't seem to be the case.

是否出于安全原因故意将其禁用?

Is this deliberately disabled due to security reasons?

推荐答案

您必须设置

You must set withCredentials to true for cross-origin XHR requests to include cookies.

CORS响应中还必须说出Access-Control-Allow-Credentials: true(这就是widthCredentials默认为false的原因).

The CORS response must also say Access-Control-Allow-Credentials: true (which is why widthCredentials defaults to false).

这篇关于具有会话/cookie的CORS请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！