Set-Cookie在Chrome和Dolphin中不起作用-有两个网站 [英] Set-Cookie is not working in Chrome and Dolphin - with two websites
问题描述
请参阅
它看起来与以下链接相关:
未设置Cookie的...具有 SameSite属性
从7月14日(2020年)开始,可以设置以下 1,2 并升级到Django 3.1 3,4 (8月4日发布):
SESSION_COOKIE_SECURE =真
SESSION_COOKIE_SAMESITE ='无'
说明
在Django 3.1之前,如果设置为 None $ c $,则未设置
samesite
属性c>单例:
如果相同站点:$ b $ b如果samesite.lower()不在('lax' ,'strict'):
引发ValueError('samesite必须为 lax或严格。))
self.cookies [key] ['samesite'] = samesite
从Django 3.1开始,为'None'
字符串设置了 samesite
属性;仍然不是 None
/ False
:
如果同一站点:$ b $ b如果samesite.lower()不在('lax','none','strict'):
引发ValueError('samesite必须是 lax, none或 strict。))
self.cookies [key] ['samesite'] = samesite
参考
- Cookies默认为SameSite = Lax-Chrome平台状态
- 拒绝不安全的SameSite =无cookie-Chrome平台状态
- 设置| Django文档| Django #std:setting-SESSION_COOKIE_SAMESITE
- 允许将SameSite cookie标志设置为无·拉取请求#11894·django / django
Please see this question and answer from 8 months ago. The answer fixed the problem for a while, but today I discovered that login and logout works again separately for each of my websites (domains), in Chrome and in Dolphin. But, everything works as before in Firefox, Edge and Opera. Did something change in those browsers regarding cookies from other domain names and how do I fix it so that login and logout will work simultaneously in both websites?
The users login or logout or sign up to one website, and I want them to login or logout from the other website too, automatically, and it works with Firefox, Edge and Opera. But users of Chrome and Dolphin, currently if they login or logout to one website, it doesn't affect the other website.
The Django view code is:
@csrf_exempt
def set_session(request):
"""
Cross-domain authentication.
"""
response = HttpResponse('')
origin = request.META.get('HTTP_ORIGIN')
if isinstance(origin, bytes):
origin = origin.decode()
netloc = urlparse(origin).netloc
if isinstance(netloc, bytes):
netloc = netloc.decode()
valid_origin = any(netloc.endswith('.' + site.domain) for site in Site.objects.all().order_by("pk"))
if (not (valid_origin)):
return response
if (request.method == 'POST'):
session_key = request.POST.get('key')
SessionStore = import_module(django_settings.SESSION_ENGINE).SessionStore
if ((session_key) and (SessionStore().exists(session_key))):
# Set session cookie
request.session = SessionStore(session_key)
request.session.modified = True
else:
# Delete session cookie
request.session.flush()
response['Access-Control-Allow-Origin'] = origin
response['Access-Control-Allow-Credentials'] = 'true'
return response
And the JavaScript code is:
window.speedy = {};
window.speedy.setSession = function (domain, key) {
$.ajax({
url: '//' + domain + '/set-session/',
method: 'post',
data: {
key: key
},
xhrFields: {
withCredentials: true
}
});
};
Then there is a JavaScript code that calls this function twice:
speedy.setSession('speedy.net', 'session_key');
speedy.setSession('speedymatch.com', 'session_key');
Where 'session_key'
is replaced by the session key of the user.
And Django settings (with Django 3.0.6):
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'
Is there any solution to this problem? I think this is due to recent changes in Chrome and Dolphin browsers.
I checked and I get the following errors from the console:
It looks like related to the following links:
A cookie ... was set without the `SameSite` attribute.
Starting July 14 (2020), you should set these 1,2 and upgrade to Django 3.1 3,4 (released Aug 4):
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = 'None'
Explanation
Before Django 3.1, the samesite
attribute is not set if the setting is the None
singleton:
if samesite:
if samesite.lower() not in ('lax', 'strict'):
raise ValueError('samesite must be "lax" or "strict".')
self.cookies[key]['samesite'] = samesite
As of Django 3.1, the samesite
attribute is set for the 'None'
string; still not for None
/False
:
if samesite:
if samesite.lower() not in ('lax', 'none', 'strict'):
raise ValueError('samesite must be "lax", "none", or "strict".')
self.cookies[key]['samesite'] = samesite
References
- Cookies default to SameSite=Lax - Chrome Platform Status
- Reject insecure SameSite=None cookies - Chrome Platform Status
- Settings | Django documentation | Django #std:setting-SESSION_COOKIE_SAMESITE
- Allowed setting SameSite cookies flags to 'None' · Pull Request #11894 · django/django
这篇关于Set-Cookie在Chrome和Dolphin中不起作用-有两个网站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!