Safari不将COOKIE包含在第二个CORS请求中 [英] Safari not include COOKIE to second CORS request
问题描述
我在 https://somedomain.dev
(角)上有前端,在 https://api.somedomain.dev
上有api(所以我有相同的域,但是不同的子域-这很重要,因为对于不同的整个域,Safari将 cookies ).我按照以下顺序向API发送了3个请求
I have frontend on https://somedomain.dev
(angular) and api on https://api.somedomain.dev
(so I have same domain but different subdomain - this is important because for different whole domains Safari will block all cookies). I send 3 requests to API in following order
-
POST/api/user/login
-在响应服务器中设置 HttpOnly COOKIE(具有授权令牌:JWT -
获取/api/user/profile
-获取用户个人资料(浏览器应在请求中添加COOKIE) -
获取/api/buildings
-获取建筑物(浏览器应在请求中添加COOKIE)
POST /api/user/login
- in response server set HttpOnly COOKIE (with authorisation token: JWTGET /api/user/profile
- to get user profile (browser should add COOKIE to request)GET /api/buildings
- to get buildings (browser should add COOKIE to request)
问题:Safari仅为 GET配置文件
添加cookie,而不向 GET建筑
添加cookie(Chrome,Firefox和Edge向每个cookie添加COOKIE)GET请求)
Problem: Safari add cookie only for GET profile
and NOT add cookie to GET buildings
(Chrome, Firefox and Edge add COOKIE to each GET request)
所有请求的详细信息(标题等):
All requests details (headers etc.):
- Chrome v.81.0 : login, profile and building
- Safari v. 13.1 : login, profile and building
- angular: each get request is send with
withCredential: true
flag (and of course this works in Chrome)
问题:为什么Safari不向 buildings
请求添加cookie,以及如何强制Safari(使用javascript或服务器代码)向所有请求添加cookie(登录后))?
Question: Why Safari not add cookie to buildings
request and what to do to force Safari (using javascript or server code) to add cookie to all requests (after login) ?
推荐答案
好-终于分析了请求之后,我发现了问题-在 login
响应中,在 Set-Cookie
标记Cookie的生存时间
Ok - after loooong analysing requests finally I found the problem - in login
response the server set in Set-Cookie
header the cookie life time by
Max-Age: 43200;
这可在Chrome,Firefox和Edge上使用-但不能在Safari上使用(Safari可能将其视为1s cookie生存期,这就是为什么它仅在第一个GET请求中添加cookie)-所以我将其更改为
this works on Chrome, Firefox and Edge - but NOT on Safari (probably Safari treat this as 1s cookie life-time and this is why it add cookie only for first GET request) - so I change it to
max-age=43200;
现在可以在任何地方使用了:)
and now works everywhere :)
这篇关于Safari不将COOKIE包含在第二个CORS请求中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!