会话cookie集`SameSite = None;安全;`不起作用 [英] Session cookie set `SameSite=None; Secure;` does not work
问题描述
我添加了SameSite = None;安全的;设置cookie.但是未设置Cookie,因此我无法登录到我的网站.
I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site.
response.writeHead(200, {
'Content-Type': 'application/json',
'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname,
'csrf-token': csrfToken
});
我在应用程序">存储">"Cookies"下的开发人员工具中查看了Cookie,并查看了更多详细信息.它显示了警告消息:
I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message:
此set-cookie被阻止,因为它不是通过安全连接发送的
this set-cookie was blocked because it was not sent over a secure connection
chrome阻止cookie,因为我在开发环境中工作并且发送http请求.但是此测试在Firefox浏览器上正确登录.
我在cookie中放入了安全一词,并且可以正常使用,但是因为 samesite = none 旁边必须使用安全一词.>跨域,否则Cookie将被阻止.
我的问题是为什么当我使用安全时,只有Chrome浏览器会阻止cookie,而在其他浏览器中却是如此.而且,如果我不使用安全,那么我将无法测试支付网关,因为如果我不使用安全功能,它将阻止Chrome异域访问.
chrome blockes cookies, Because I work on the development environment and i send http request. But this test on Firefox browser logs in correctly.
I put the word secure inside the cookie and it worked properly, but because the word secure must be used next to samesite = none for cross-origin, otherwise the cookie will be blocked.
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers.
And that if I do not use secure I can not test the payment gateway because it blocks Chrome cross-orign if I do not use secure...
推荐答案
我的问题是为什么当我使用安全时,只有Chrome浏览器会阻止cookie,但在其他浏览器中是正确的
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers
I am not sure about other browsers but Chrome implements strategy of allowing cookies with secure
attribute over secure connection as per this IETF draft.
尽管此草案是为Chrome实施的,但不是在Firefox上,这就是为什么在Firefox中转到 about:config>的原因.network.cookie.sameSite.noneRequiresSecure
,默认值为 false .
While this draft is implemented for Chrome, it is not on Firefox which is why on Firefox in you go to about:config > network.cookie.sameSite.noneRequiresSecure
, default value is false.
如果您只需要在本地开发环境中使用它,则可以通过禁用
If you just need to do it for your local dev environment, You can retain the old behavior for cookies in chrome by disabling
- chrome://flags/#same-site-by-default-cookies
- chrome://flags/#cookies-without-same-site-must-be-secure
我必须支持旧版HTTP客户端,但是如果我使用https://来源安全,我无法从http设置cookie,而且我无法访问它来自http的cookie,我的目标是拥有SameSite = None,在http和在http://来源,任何想法上都不安全,而不是建立谷歌办公室附近发生抗议?
I have to support legacy http clients, but if I make https:// origin secure , I can't set cookie from http, more over I can't access this cookie from http, my goal is to have SameSite=None, Secure on http and not secure on http:// origin, any ideas, instead of establishing protests near google office ?
鉴于这将在不久的将来成为标准,我怀疑您是否能够为客户端应用程序实现这种行为,只有路由是安全的HTTPS.
Given that it is going to be standard in near future, I doubt you will be able to achieve this behavior for client applications, only route is to go secure, HTTPS.
参考:
- https://web.dev/samesite-cookies-explained/#changes-to-default-behavior-with-samesite
- https://redmondmag.com/article/2020/01/28/samesite-cookie-changes-break-apps.aspx
这篇关于会话cookie集`SameSite = None;安全;`不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!