在根域上设置的Cookie无法用于子域-我在做什么错? [英] Cookie set on root domain not available to subdomain - what am I doing wrong?
问题描述
托管在 subdomain.example.com
上的客户端对 example.com
进行api调用以获取cookie.响应具有一个 Set-cookie
标头,我认为该Cookie已正确返回:
Client hosted on subdomain.example.com
makes api call to example.com
to fetch a cookie. The response has a Set-cookie
header and I see the cookie as being returned alright:
但是,我看不到保存在浏览器(Chrome,Firefox,Edge)中的cookie,因此在后续的API请求中,cookie并未作为标头发送:
However, I don't see the cookie saved in the Browser (Chrome, Firefox, Edge) and, as a result, is not sent as a header in subsquent API requests:
Set-cookie
domain
属性设置为 .example.com
,但是当我在MDN中阅读时,我认为尾随点被忽略了
Set-cookie
domain
attribute is set to .example.com
, but as I read in MDN I think the trailing dot gets ignored.
顺便提一下,有问题的cookie是 csurf
库设置的csrf令牌密钥.
The cookie in question, by the way, is the csrf token secret set by the csurf
library.
我做错了什么?我已经进行了3个晚上的故障排除,但还没有任何线索.似乎是与[0]相同的问题,但没有答案.谢谢!
What am I doing wrong? I have been troubleshooting for 3 evenings now, I don't have a clue yet. seems to be same question as [0] but that one is unanswered. Thanks!
推荐答案
很显然,我对cors的理解不够充分-[0]使我走上了正确的轨道.这是由于没有在 withCredentials
客户端和 credentials:true
上执行AJAX请求,因为我在 example.com
与 subdomain.example.com
不同.希望对您有帮助
Clearly I didn't have a good enough understanding of cors - [0] put me on the right track. It was due to not doing doing the AJAX request with withCredentials
client side and credentials: true
because I am setting an origin since server in example.com
in not the same as subdomain.example.com
. Hope it is helpful
[0] https://stackoverflow.com/a/60142012/3630417
这篇关于在根域上设置的Cookie无法用于子域-我在做什么错?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!