为什么快速会话Cookie被阻止为第三方Cookie [英] Why is express session cookie being blocked as a third party cookie
问题描述
我正在使用express-session模块,它在localhost上可以正常运行,但是在我的网站上(使用Cloudflare在Heroku上托管),Express会话被阻止为第三方cookie。这是我的会话的配置:
I am using the express-session module, it works perfectly on localhost but on my website (hosted on Heroku using Cloudflare), the express session is being blocked as being a third party cookie. Here is the configuration for my session:
app.use(session({
resave: false,
saveUninitialized: false,
proxy : true,
cookie: {
maxAge: 3600000000000,
httpOnly: false,
secure: false,
domain: '.mydomain.com',
path: '/'
},
store: sessionStore,
secret: 'mysecret',
unset: 'destroy'
}));
这是Express还是Cloudflare / Heroku的问题?
Is this an issue with Express or maybe Cloudflare/Heroku?
推荐答案
为什么Cookie被阻止
第三方Cookie 是
网站从用户访问的域之外的域中放置在用户硬盘上的一个Cookie 。 p>
A third-party cookie is one that is placed on a user’s hard disk by a Web site from a domain other than the one a user is visiting.
您在评论中提到,您的客户端和服务器位于不同的域中:
www。 castcrunch.com是我的客户端服务器的URL,cast-crunch-server.herokuapp.com是我的后端服务器的URL
As you mentioned in your comment, your client and your server are on different domains:
www.castcrunch.com is my client side server's URL and cast-crunch-server.herokuapp.com is my backend server URL
您可以阅读有关Cookie域的更多信息在 RFC 6265 :
You can read more about cookie domains in the RFC 6265:
域名属性e指定将向其发送Cookie的主机。
The Domain attribute specifies those hosts to which the cookie will be sent.
您可以做什么关于这一点
如这篇dzone文章,您可以使用 Json Web令牌进行身份验证。您的服务器将令牌发送到登录响应正文中,客户端将在每个后续请求标头中存储令牌并将其发送到服务器。
What you could do about that
As mentioned in this dzone article, you could use Json Web Tokens to do the authentication. Your server would send the token in the login response body, the client would store it and send it to the server in every subsequent request header.
这种方法的缺点是,由于您存储令牌是因为您将变得容易受到XSS攻击。您必须特别注意:清理所有输入,或者更妙的是,使用已经使用的框架和语言。
The drawback with this approach, since you are storing the token, is that you would become vulnerable to XSS attacks. You have to pay special attention to that: sanitise all inputs, or better yet, use frameworks and languages that already to that.
注意:当然,您也可以在浏览器设置中取消选中阻止第三方Cookie选项,但这似乎不是一个长期解决方案:)。
Note: Of course, you could also uncheck the "block 3rd party cookies" option in the browser settings, but this does not seem like a long term solution :).
这篇关于为什么快速会话Cookie被阻止为第三方Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
