HTTP Cookie和Ajax请求 [英] HTTP Cookies and Ajax requests over HTTPS

问题描述

我知道这已经以各种形式被问过，但我似乎不能解决这个问题。
我尝试过使用jQuery和原生JS API来发出Ajax请求。

我的情况如下（见附图）：

1. 浏览器发出HTTP请求


2. 服务器响应并设置持久Cookie


3. 浏览器发出HTTP Ajax请求，Cookie已存在


4. 服务器按预期响应，更新Cookie


5. 浏览器发出HTTPS Ajax请求，Cookie不在




6. 伺服器发出「预设」回应$ b

   在任何人开始关于跨网域请求的演讲之前，请先说明几个方面：

   
   
   
   
   
   • 我知道这是跨域请求（不同的协议），这就是为什么服务器在响应中设置 Access-Control-Allow-Origin 标题（我使用Chrome和Firefox，两者都支持 CORS ）
   
   
   • 我是什么也知道，HTTP cookie应该通过HTTPS是可管理的（参见这里）。
   
   
   • （EDIT）Cookie正确设置为一般域名.domain.ext），并且没有设置HttpOnly和Secure标志
   
   
   
   
   

   所以，为什么，为什么，在进行HTTPS Ajax调用时传递cookie？有任何想法吗？我将失去我的心...

     + ----------- + HTTP Request + ----------- + 
    |浏览器| + ----------------> |服务器| 
    + ----------- + + ----------- + 
    
    HTTP回应
   < ---- ------------ + 
    Set-cookie 
    
    Ajax HTTP Req。 
    + ----------------> 
    Cookie（OK）
    
    HTTP响应
   < ---------------- + 
    Set-cookie ）
    
    Ajax HTTPS Req。 
    + ----------------> 
   无Cookie（!!!）
     

   
   

   解决方案

   
   
   

   请参阅 XHR规范， jQuery文档和 StackOverflow 。

   
   
   

   解决方案协议和/或子域是将 withCredentials 属性设置为 true 。

   
   
   

   例如（使用jQuery）

     $ .ajax（{
    / *设置调用* / 
    xhrFields： {
    withCredentials：true 
   } 
   }）; 
     

   
   

   I know this has been asked before in various forms, but I can't seem to get around the problem. I have tried using both jQuery and the native JS API to make the Ajax requests.

   My situation is the following (see attached diagram):

   1. Browser makes HTTP request
   2. Server responds and sets persistent Cookie
   3. Browser makes HTTP Ajax request, Cookie is there alright
   4. Server responds as expected, updates Cookie
   5. Browser makes HTTPS Ajax request, Cookie is not there anymore (?!)
   6. Server gives "default" response, since there is no Cookie (unintended behaviour)

   Before anybody starts a lecture on cross-domain requests let me state a couple of things:

   • I know that this is a cross-domain request (different protocol), and that's why the Server sets the Access-Control-Allow-Origin header in the response (and I am using Chrome and Firefox, both of which support CORS)
   • What I also know, though, is that the HTTP cookie ought to be manageable over HTTPS (see here) since the host is the same
   • (EDIT) The cookie is properly set for the general domain (e.g. .domain.ext) and neither the HttpOnly nor the Secure flags are set

   So, why, why, why doesn't the browser pass on the cookie when making the HTTPS Ajax call? Any ideas? I am about to lose my mind...

        +-----------+ HTTP Request     +-----------+
        |Browser    |+---------------->|Server     |
        +-----------+                  +-----------+
   
                      HTTP Response
                     <----------------+
                      Set-cookie
   
                      Ajax HTTP Req.
                     +---------------->
                      Cookie (OK)
   
                      HTTP Response
                     <----------------+
                      Set-cookie (OK)
   
                      Ajax HTTPS Req.
                     +---------------->
                      No Cookie (!!!)
   

   解决方案

   Ok, found the solution to the cookie problem.

   See XHR specs, jQuery docs and StackOverflow.

   The solution to have the cookies sent when switching protocol and/or subdomain is to set the withCredentials property to true.

   E.g. (using jQuery)

    $.ajax( {
      /* Setup the call */
      xhrFields: {
        withCredentials: true
      }
    });
   

   这篇关于HTTP Cookie和Ajax请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！