为什么会话 cookie 在从域提供服务时有效，但在使用 IP 时无效? [英] Why does the session cookie work when serving from a domain but not when using an IP?

问题描述

我有一个带有会话的 Flask 应用程序，它在我的本地开发机器上运行良好.但是，当我尝试在 Amazon 服务器上部署它时，会话似乎不起作用.

I have a Flask application with sessions that works well on my local development machine. However, when I try to deploy it on an Amazon server, sessions do not seem to work.

更具体地说，未设置会话 cookie.但是，我可以设置普通 cookie.我确保我有一个静态安全密钥，因为其他人表示这可能是一个问题.唯一的区别在于服务器的设置方式.在开发过程中，我使用

More specifically, the session cookie is not set. I can, however, set normal cookies. I made sure I have a static secure key, as others have indicated that might be an issue. The only difference is in how the server is set up. During development, I use

app.run()

在本地运行.部署时，我使用

to run locally. When deployed, I use

app.config['SERVER_NAME'] = '12.34.56.78'  # <-- insert a "real" IP
app.run(host='0.0.0.0', port=80)

我怀疑问题可能出在上面，但不能完全确定.

I suspect the problem might be in the above, but am not completely certain.

会话确实似乎适用于 Firefox，但不适用于 Chrome.

The session does seem to work on Firefox, but not Chrome.

下面的小应用演示了这个问题，底部有配置差异:

The following small application demonstrates the problem, with the configuration differences at the bottom:

from flask import Flask, make_response, request, session

app = Flask(__name__)
app.secret_key = 'secretKey'

# this is to verify that cookies can be set
@app.route('/setcookie')
def set_cookie():
    response = make_response('Cookie set')
    response.set_cookie('cookie name', 'cookie value')
    return response

@app.route('/getcookie')
def get_cookie():
    if 'cookie name' in request.cookies:
        return 'Cookie found. Its value is %s.' % request.cookies['cookie name']
    else:
       return 'Cookie not found'

# this is to check if sessions work
@app.route('/setsession')
def set_session():
    session['session name'] = 'session value'
    return 'Session set'

@app.route('/getsession')
def get_session():
    if 'session name' in session:
        return 'Session value is %s.' % session['session name']
    else:
        return 'Session value not found'

if __name__ == '__main__':
    app.debug = True

    # windows, local development
    #app.run()  

    # Ubuntu
    app.config['SERVER_NAME'] = '12.34.56.78'  # <-- insert a "real" IP
    app.run(host='0.0.0.0', port=80)

推荐答案

这是一个错误"在 Chrome 中，您的应用程序没有问题.(如果其他浏览器更改政策，也可能会影响它们.)

This is a "bug" in Chrome, not a problem with your application. (It may also affect other browsers as well if they change their policies.)

RFC 2109，描述了 cookie 的处理方式，似乎表明 cookie 域必须是带有 TLD(.com、.net 等)的 FQDN，或者是完全匹配的 IP 地址.原始 Netscape cookie 规范 根本没有提到 IP 地址.

RFC 2109, which describes how cookies are handled, seems to indicate that cookie domains must be an FQDN with a TLD (.com, .net, etc.) or be an exact match IP address. The original Netscape cookie spec does not mention IP addresses at all.

Chrome 开发人员决定比其他浏览器更严格地规定他们接受的 cookie 域值.虽然有一次他们纠正了一个错误，该错误阻止了 cookieIP 地址，从那以后他们显然已经退步了t 允许在非 FQDN 域(包括本地主机)或 IP 地址上使用 cookie.他们表示他们不会修复这个问题，因为他们不认为这是一个错误.

The Chrome developers have decided to be more strict than other browsers about what values they accept for cookie domains. While at one point they corrected a bug that prevented cookies on IP addresses, they have apparently backpedaled since then and don't allow cookies on non-FQDN domains (including localhost) or IP addresses. They have stated they will not fix this, as they do not consider it a bug.

原因正常"cookie 正在工作，但会话 cookie 不是，因为您没有为正常"设置域.cookies(这是一个可选参数)，但 Flask 会自动将会话 cookie 的域设置为 SERVER_NAME.Chrome(和其他)接受没有域的 cookie 并将它们自动设置为响应域，因此观察到的行为差异.如果您将域设置为 IP 地址，您可以观察到正常的 cookie 失败.

The reason "normal" cookies are working but the session cookie is not is that you are not setting a domain for the "normal" cookies (it's an optional parameter), but Flask automatically sets the domain for the session cookie to the SERVER_NAME. Chrome (and others) accept cookies without domains and auto-set them to the domain of the response, hence the observed difference in behavior. You can observer normal cookies failing if you set the domain to the IP address.

在开发过程中，您可以通过在本地主机上运行应用程序而不是让它默认为 127.0.0.1 来解决这个问题.Flask 有一个解决方法如果服务器名称是 localhost，则发送会话 cookie 的域.app.run('localhost')

During development, you can get around this by running the app on localhost rather than letting it default to 127.0.0.1. Flask has a workaround that won't send the domain for the session cookie if the server name is localhost. app.run('localhost')

在生产中，没有任何真正的解决方案.您可以在域而不是 IP 上提供此服务，这可以解决问题，但在您的环境中可能无法实现.您可以强制您的所有客户端使用 Chrome 之外的其他东西，这是不切实际的.或者，您可以为 Flask 提供不同的会话接口，该接口对已用于 localhost 的 IP 执行相同的解决方法，尽管这在某些方面可能不安全.

In production, there aren't any real solutions. You could serve this on a domain rather than an IP, which would solve it but might not be possible in your environment. You could mandate that all your clients use something besides Chrome, which isn't practical. Or you could provide a different session interface to Flask that does the same workaround for IPs that it already uses for localhost, although this is probably insecure in some way.

Chrome 不允许使用域 IP 的 cookie，并且没有实际的解决方法.

Chrome does not allow cookies with IPs for the domain, and there is no practical workaround.

这篇关于为什么会话 cookie 在从域提供服务时有效，但在使用 IP 时无效?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！