HTTP重定向(302)在后续GET请求中不使用Cookie [英] HTTP Redirect (302) Doesn't Use Cookie in Following GET Request
问题描述
这是我已经研究了一段时间的问题。
Here is a question I have been researching for some time now.
我的重定向似乎并不尊重302中的Set-Cookie属性。重定向。
I have a redirect that does not seem to be respecting a Set-Cookie attribute in a 302 Redirect.
这是我使用wireshark获取的请求和响应标头。
Here are the request and response headers that I used wireshark to obtain.
HTTP/1.1 302 Moved Temporarily\r\n
Connection: close\r\n
Location: http://192.168.1.1:8888/home/\r\n
Set-Cookie: foo=test_data; Domain=192.168.1.1; Path=/\r\n
\r\n
GET /home/ HTTP/1.1\r\n
Host: 192.168.1.1:8888\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
DNT: 1\r\n
\r\n
我对内容进行了一点消毒,但是没有什么要紧的修改。关键是,无论我使用的浏览器是什么,cookie foo都不会在302之后的GET请求中放入。根据我的阅读,这不是预期的行为。我不相信这一点吗?
I sanitized the content just a bit, but nothing critical should have been modified. The point is no matter the browser I use, the cookie 'foo' is not put in the GET request following the 302. From what I have read, this is not expected behavior. Am I incorrect in believing this? Is there something that I am missing or doing wrong with the 302?
推荐答案
在问题中, Cookie 标头未出现在重定向的HTTP请求中( GET http://192.168.1.1:8888/home )。根本原因是:cookie foo = test_data 永远不存在。当它通过 Set-Cookie 响应标头从服务器传递时,它将像它的 Domain 一样被浏览器拒绝。不包括原始服务器。
In the question, Cookie header does not appear in the redirected HTTP request (GET http://192.168.1.1:8888/home). The root cause is: the cookie foo=test_data never exists. When it is delivered from server by Set-Cookie response header, it would be rejected by browser, as its Domain does not include the original server.
根据 MDN :
属于不包含原始服务器的域的Cookie应该被拒绝
A cookie belonging to a domain that does not include the origin server should be rejected by the user agent. The following cookie will be rejected if it was set by a server hosted on originalcompany.com.
Set-Cookie:qwerty = 219ffwef9w0f;用户代理。如果以下cookie是由originalcompany.com上托管的服务器设置的,则将被拒绝。域= somecompany.co.uk;路径= /; Expires = Wed,30 Aug 2019 00:00:00 GMT
Set-Cookie: qwerty=219ffwef9w0f; Domain=somecompany.co.uk; Path=/; Expires=Wed, 30 Aug 2019 00:00:00 GMT
有关更准确的描述,您可以检查 RFC6265部分-4.1.2.3
For more accurate description, you can check RFC6265 section -4.1.2.3
这样做的理由很充分。如果所有服务器都可以在所有域中使用 Set-Cookie ,则消灭其他网站的Cookie将非常容易,这对于互联网来说将是一场灾难。
This is designed with a good reason. If all server can Set-Cookie for all domain, it would be extremely easy to wipe out other website's cookie, which would be a disaster for internet.
这篇关于HTTP重定向(302)在后续GET请求中不使用Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
