Cookie 未在 IE 中更新/覆盖 [英] Cookie not renewing/overwriting in IE
问题描述
我对 IE 中的 cookie 有一个奇怪的怪癖.当用户登录站点时,我生成了一个新的会话 ID,因此需要覆盖 cookie.流程基本上是:
I have a weird quirk with cookies in IE. When a user logs into the site, I'm generating a new session id and hence need to overwrite the cookie. The flow is basically:
- 客户端进入
https://secure.example.com/users/login页面,自动接收会话ID - 客户端将登录凭据发布到同一地址
客户端收到以下 set-cookie 标头以及到
https://secure.example.com/users/mypage的 302 重定向:
- Client goes to
https://secure.example.com/users/loginpage, automatically receiving a session id - Client POSTs login credentials to same address
Client receives the following set-cookie headers together with a 302 redirect to
https://secure.example.com/users/mypage:
CAKEPHP=已删除;expires=Sun, 05-Apr-2009 04:50:35 GMT;路径=/
CAKEPHP=98hnIO23...;到期=格林威治标准时间 2010 年 4 月 12 日星期一 04:50:36;路径=/;安全
CAKEPHP=deleted; expires=Sun, 05-Apr-2009 04:50:35 GMT; path=/
CAKEPHP=98hnIO23...; expires=Mon, 12 Apr 2010 04:50:36 GMT; path=/; secure
客户端应该访问 https://secure.example.com/users/mypage,并提供新的会话 ID.
Client is supposed to visit https://secure.example.com/users/mypage, presenting the new session id.
这适用于所有浏览器,IE 除外(在 7 和 8 中测试).IE 保留旧的、未经身份验证的会话 ID,并被重定向回登录页面.它适用于我的本地测试环境(使用 https://localhost:8443/... 上的自签名证书),但不适用于实时服务器.
This works in all browsers, except IE (tested in 7 & 8). IE retains the old, unauthenticated session id, and is redirected back to the login page. It works on my local test environment (using a self-signed certificate at https://localhost:8443/...), but not on the live server.
我正在使用 CakePHP 并简单地发出一个 $this->Session->renew(),它会生成上述 cookie 标头.
I'm using CakePHP and simply issue a $this->Session->renew(), which produces the above cookie headers.
任何想法如何让 IE 接受新的 cookie?
Any ideas how to get IE to accept the new cookie?
这是完整的标题:
HTTP/1.0 302 Moved Temporarily
Date: Thu, 08 Apr 2010 02:54:30 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=deleted; expires=Wed, 08-Apr-2009 02:54:30 GMT; path=/
Set-Cookie: CAKEPHP=d55c...; expires=Thu, 15 Apr 2010 02:54:31 GMT; path=/; secure
Last-Modified: Thu, 08 Apr 2010 02:54:30 GMT
Location: https://secure.example.com/users/mypage
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
我想我已经发现了问题:IE 正在发送两个 相同名称的 cookie.这是对服务器的下一个请求:
I think I have found the problem: IE is sending two cookies of identical name. Here's the next request to the server:
GET /users/mypage HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, */ *
Referer: https://secure.example.com/users/login
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)
Accept-Encoding: gzip, deflate
Host: secure.example.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CAKEPHP=19c6...; CAKEPHP=d55c...
请注意,它发送了两个 cookie,一个是登录后收到的,还有一个是旧的.它在主页 example.com 收到旧的,设置为 path=/.它还将请求发送到 secure.example.com.它不会被上述标头替换,而是将其添加为附加 cookie.我怎样才能阻止它这样做?
Notice that it sends two cookies, the one it received after logging in, but also the old one. It received the old one at the main page example.com, set with path=/. It's also sending it for requests to secure.example.com. It doesn't get replaced by the above header, instead it adds it as additional cookie. How can I stop it from doing that?
推荐答案
确保为您的基本域发出 cookie.
Make sure the cookies are emitted for your base domain.
这很可能是问题所在,因为这种行为在不同的浏览器中肯定会有所不同.
That's v. likely the problem, since this behavior certainly varies in different browsers.
我没有在 cakephp 中做过,但是 这应该可行
I haven't done it in cakephp, but this should work
这篇关于Cookie 未在 IE 中更新/覆盖的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
