Set-Cookie在Chrome和Dolphin中不起作用-有两个网站 [英] Set-Cookie is not working in Chrome and Dolphin - with two websites

问题描述

请参阅

它看起来与以下链接相关：

• Cookies默认为SameSite = Lax


• 拒绝不安全的SameSite =无cookie

解决方案

未设置Cookie的...具有 SameSite属性

从7月14日（2020年）开始，可以设置以下 ^1,2 并升级到Django 3.1 ^3,4 （8月4日发布）：

  SESSION_COOKIE_SECURE =真
 SESSION_COOKIE_SAMESITE ='无'
  

说明

在Django 3.1之前，如果设置为 None samesite 属性c>单例：

 如果相同站点：$ b​​ $ b如果samesite.lower（）不在（'lax' ，'strict'）：
引发ValueError（'samesite必须为 lax或严格。））
 self.cookies [key] ['samesite'] = samesite 
  

从Django 3.1开始，为'None'字符串设置了 samesite 属性；仍然不是 None / False ：

 如果同一站点：$ b​​ $ b如果samesite.lower（）不在（'lax'，'none'，'strict'）：
引发ValueError（'samesite必须是 lax， none或 strict。））
 self.cookies [key] ['samesite'] = samesite 
  

参考

1. Cookies默认为SameSite = Lax-Chrome平台状态


2. 拒绝不安全的SameSite =无cookie-Chrome平台状态


3. 设置| Django文档| Django #std：setting-SESSION_COOKIE_SAMESITE


4. 允许将SameSite cookie标志设置为无·拉取请求＃11894·django / django

Please see this question and answer from 8 months ago. The answer fixed the problem for a while, but today I discovered that login and logout works again separately for each of my websites (domains), in Chrome and in Dolphin. But, everything works as before in Firefox, Edge and Opera. Did something change in those browsers regarding cookies from other domain names and how do I fix it so that login and logout will work simultaneously in both websites?

The users login or logout or sign up to one website, and I want them to login or logout from the other website too, automatically, and it works with Firefox, Edge and Opera. But users of Chrome and Dolphin, currently if they login or logout to one website, it doesn't affect the other website.

The Django view code is:

@csrf_exempt
def set_session(request):
    """
    Cross-domain authentication.
    """
    response = HttpResponse('')
    origin = request.META.get('HTTP_ORIGIN')
    if isinstance(origin, bytes):
        origin = origin.decode()
    netloc = urlparse(origin).netloc
    if isinstance(netloc, bytes):
        netloc = netloc.decode()
    valid_origin = any(netloc.endswith('.' + site.domain) for site in Site.objects.all().order_by("pk"))
    if (not (valid_origin)):
        return response
    if (request.method == 'POST'):
        session_key = request.POST.get('key')
        SessionStore = import_module(django_settings.SESSION_ENGINE).SessionStore
        if ((session_key) and (SessionStore().exists(session_key))):
            # Set session cookie
            request.session = SessionStore(session_key)
            request.session.modified = True
        else:
            # Delete session cookie
            request.session.flush()
    response['Access-Control-Allow-Origin'] = origin
    response['Access-Control-Allow-Credentials'] = 'true'
    return response

And the JavaScript code is:

window.speedy = {};

window.speedy.setSession = function (domain, key) {
    $.ajax({
        url: '//' + domain + '/set-session/',
        method: 'post',
        data: {
            key: key
        },
        xhrFields: {
            withCredentials: true
        }
    });
};

Then there is a JavaScript code that calls this function twice:

speedy.setSession('speedy.net', 'session_key');
speedy.setSession('speedymatch.com', 'session_key');

Where 'session_key' is replaced by the session key of the user.

And Django settings (with Django 3.0.6):

SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = None

CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'

Is there any solution to this problem? I think this is due to recent changes in Chrome and Dolphin browsers.

I checked and I get the following errors from the console:

It looks like related to the following links:

• Cookies default to SameSite=Lax
• Reject insecure SameSite=None cookies

解决方案

A cookie ... was set without the `SameSite` attribute.

Starting July 14 (2020), you should set these ^1,2 and upgrade to Django 3.1 ^3,4 (released Aug 4):

SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = 'None'

Explanation

Before Django 3.1, the samesite attribute is not set if the setting is the None singleton:

if samesite:
    if samesite.lower() not in ('lax', 'strict'):
        raise ValueError('samesite must be "lax" or "strict".')
    self.cookies[key]['samesite'] = samesite

As of Django 3.1, the samesite attribute is set for the 'None' string; still not for None/False:

if samesite:
    if samesite.lower() not in ('lax', 'none', 'strict'):
        raise ValueError('samesite must be "lax", "none", or "strict".')
    self.cookies[key]['samesite'] = samesite

References

1. Cookies default to SameSite=Lax - Chrome Platform Status
2. Reject insecure SameSite=None cookies - Chrome Platform Status
3. Settings | Django documentation | Django #std:setting-SESSION_COOKIE_SAMESITE
4. Allowed setting SameSite cookies flags to 'None' · Pull Request #11894 · django/django

这篇关于Set-Cookie在Chrome和Dolphin中不起作用-有两个网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！