为什么会话Cookie在从域提供服务时工作，而不是在使用IP时工作？ [英] Why does the session cookie work when serving from a domain but not when using an IP?

问题描述

我有一个Flask应用程序，会话在我的本地开发机器上工作良好。但是，当我尝试在Amazon服务器上部署它时，会话似乎不工作。

I have a Flask application with sessions that works well on my local development machine. However, when I try to deploy it on an Amazon server, sessions do not seem to work.

更具体地说，未设置会话cookie。但是，我可以设置正常的Cookie。我确保我有一个静态安全密钥，因为其他人已经表明可能是一个问题。唯一的区别是如何设置服务器。在开发期间，我使用

More specifically, the session cookie is not set. I can, however, set normal cookies. I made sure I have a static secure key, as others have indicated that might be an issue. The only difference is in how the server is set up. During development, I use

app.run()

在本地运行。部署后，我使用

to run locally. When deployed, I use

app.config['SERVER_NAME'] = '12.34.56.78'  # <-- insert a "real" IP
app.run(host='0.0.0.0', port=80)

我怀疑这个问题可能出现在上面，但并不完全确定。

I suspect the problem might be in the above, but am not completely certain.

会话

以下小应用程序演示了此问题，其底部的配置有所不同：

The following small application demonstrates the problem, with the configuration differences at the bottom:

from flask import Flask, make_response, request, session

app = Flask(__name__)
app.secret_key = 'secretKey'

# this is to verify that cookies can be set
@app.route('/setcookie')
def set_cookie():
    response = make_response('Cookie set')
    response.set_cookie('cookie name', 'cookie value')
    return response

@app.route('/getcookie')
def get_cookie():
    if 'cookie name' in request.cookies:
        return 'Cookie found. Its value is %s.' % request.cookies['cookie name']
    else:
       return 'Cookie not found'

# this is to check if sessions work
@app.route('/setsession')
def set_session():
    session['session name'] = 'session value'
    return 'Session set'

@app.route('/getsession')
def get_session():
    if 'session name' in session:
        return 'Session value is %s.' % session['session name']
    else:
        return 'Session value not found'

if __name__ == '__main__':
    app.debug = True

    # windows, local development
    #app.run()  

    # Ubuntu
    app.config['SERVER_NAME'] = '12.34.56.78'  # <-- insert a "real" IP
    app.run(host='0.0.0.0', port=80)

推荐答案

这是Chrome中的错误，不是您的应用程序的问题。 （如果他们更改其政策，也可能会影响其他浏览器。）

This is a "bug" in Chrome, not a problem with your application. (It may also effect other browsers as well if they change their policies.)

RFC 2109 ，它描述了如何处理cookie，似乎表明cookie域必须是具有TLD（.com，.net等）的FQDN或作为完全匹配的IP地址。 原始Netscape Cookie规范根本没有提及IP地址。

RFC 2109, which describes how cookies are handled, seems to indicate that cookie domains must be an FQDN with a TLD (.com, .net, etc.) or be an exact match IP address. The original Netscape cookie spec does not mention IP addresses at all.

Chrome开发人员决定比其他浏览器更严格地接受Cookie网域的值。虽然有一点他们更正了错误，阻止了IP上的Cookie地址，自那时起他们显然已后退，不允许非FQDN域（包括本地主机）或 IP地址上的Cookie。

The Chrome developers have decided to be more strict than other browsers about what values they accept for cookie domains. While at one point they corrected a bug that prevented cookies on IP addresses, they have apparently backpedaled since then and don't allow cookies on non-FQDN domains (including localhost) or IP addresses. They have stated they will not fix this, as they do not consider it a bug.

正常Cookie的工作原因，但是因为他们不会会话cookie不是你没有为正常cookie（它是一个可选参数）设置域，但Flask会自动将会话cookie的域设置为 SERVER_NAME 。 Chrome（和其他）接受没有网域的Cookie，并将其自动设置为响应域，因此观察到行为的差异。

The reason "normal" cookies are working but the session cookie is not is that you are not setting a domain for the "normal" cookies (it's an optional parameter), but Flask automatically sets the domain for the session cookie to the SERVER_NAME. Chrome (and others) accept cookies without domains and auto-set them to the domain of the response, hence the observed difference in behavior. You can observer normal cookies failing if you set the domain to the IP address.

在开发过程中，您可以通过在localhost上运行应用程序而不是让它默认值来解决这个问题。至127.0.0.1。 Flask有一个解决方法，不会发送如果服务器名称为localhost，则为会话cookie的域。 app.run（'localhost'）

During development, you can get around this by running the app on localhost rather than letting it default to 127.0.0.1. Flask has a workaround that won't send the domain for the session cookie if the server name is localhost. app.run('localhost')

在生产中，没有任何真正的解决方案。您可以在域而不是IP上提供此服务，这将解决它，但在您的环境中可能不可能。您可以强制所有客户使用Chrome以外的其他东西，这是不实际的。或者你可以为Flask提供一个不同的会话接口，对于已经为localhost使用过的IP做同样的解决方法，尽管这在某种程度上可能是不安全的。

In production, there aren't any real solutions. You could serve this on a domain rather than an IP, which would solve it but might not be possible in your environment. You could mandate that all your clients use something besides Chrome, which isn't practical. Or you could provide a different session interface to Flask that does the same workaround for IPs that it already uses for localhost, although this is probably insecure in some way.

不允许具有域的IP的Cookie，并且没有实际的解决方法。

Chrome does not allow cookies with IPs for the domain, and there is no practical workaround.

这篇关于为什么会话Cookie在从域提供服务时工作，而不是在使用IP时工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！