在根域上设置的Cookie无法用于子域-我在做什么错? [英] Cookie set on root domain not available to subdomain - what am I doing wrong?

问题描述

托管在 subdomain.example.com 上的客户端对 example.com 进行api调用以获取cookie.响应具有一个 Set-cookie 标头，我认为该Cookie已正确返回:

Client hosted on subdomain.example.com makes api call to example.com to fetch a cookie. The response has a Set-cookie header and I see the cookie as being returned alright:

但是，我看不到保存在浏览器(Chrome，Firefox，Edge)中的cookie，因此在后续的API请求中，cookie并未作为标头发送:

However, I don't see the cookie saved in the Browser (Chrome, Firefox, Edge) and, as a result, is not sent as a header in subsquent API requests:

Set-cookie domain 属性设置为 .example.com ，但是当我在MDN中阅读时，我认为尾随点被忽略了

Set-cookie domain attribute is set to .example.com, but as I read in MDN I think the trailing dot gets ignored.

顺便提一下，有问题的cookie是 csurf 库设置的csrf令牌密钥.

The cookie in question, by the way, is the csrf token secret set by the csurf library.

我做错了什么?我已经进行了3个晚上的故障排除，但还没有任何线索.似乎是与[0]相同的问题，但没有答案.谢谢！

What am I doing wrong? I have been troubleshooting for 3 evenings now, I don't have a clue yet. seems to be same question as [0] but that one is unanswered. Thanks!

[0] 将Cookie从子域设置为根域和所有子域

推荐答案

很显然，我对cors的理解不够充分-[0]使我走上了正确的轨道.这是由于没有在 withCredentials 客户端和 credentials:true 上执行AJAX请求，因为我在 example.com 与 subdomain.example.com 不同.希望对您有帮助

Clearly I didn't have a good enough understanding of cors - [0] put me on the right track. It was due to not doing doing the AJAX request with withCredentials client side and credentials: true because I am setting an origin since server in example.com in not the same as subdomain.example.com. Hope it is helpful

[0] https://stackoverflow.com/a/60142012/3630417

这篇关于在根域上设置的Cookie无法用于子域-我在做什么错?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！