HTTP头中的Set-Cookie被AngularJS忽略 [英] Set-Cookie in HTTP header is ignored with AngularJS
问题描述
我正在开发一个在客户端基于AngularJS的应用程序,以及在服务器端使用Java的我的API(Tomcat + Jersey for WS)。
I'm working on an application based on AngularJS on client side and Java for my API (Tomcat + Jersey for WS) on server side.
我的API是受限的,如果用户没有会话,返回的响应状态是401.在客户端,401 http状态被拦截,以将用户重定向到登录页面。
Some path of my API are restricted, if the user doesn't have a session the response status returned is 401. On the client side, 401 http status are intercepted to redirect the user to the login page.
一旦用户被验证,我在服务器端创建一个会话
Once the user is authenticated, I create a session on the server side
httpRequest.getSession(true);
并且响应发送到客户端在其标题中有Set-cookie指令:
and the response send to the client does have the Set-cookie instruction in its header :
Set-Cookie:JSESSIONID=XXXXXXXXXXXXXXXXXXXXX; Domain=localhost; Path=/api/; HttpOnly
问题是cookie从不放在客户端。当我检查localhost域的cookie是空的,所以下一个请求没有这个cookie在他们的头和客户端仍然无法访问我的API的限制路径。
The problem is that the cookie is never put on the client side. When I inspect cookie for localhost domain it's empty, so the next requests don't have this cookie in their header and client side still couldn't access to the restricted path of my API.
客户端和服务器位于同一域,但它们没有相同的路径和相同的端口号:
The client and the server are on the same domain but they don't have the same path and the same port number :
客户端: http:// localhost:8000 / app / index.html
服务器: http:// localhost :8080 / api / restricted /
其他信息:CORS在两侧都启用:
Additional info : CORS is enabled on the both side :
"Access-Control-Allow-Methods", "GET, POST, OPTIONS"
"Access-Control-Allow-Origin", "*"
"Access-Control-Allow-Credentials", true任何使Set-cookie正常工作的想法?
是AngularJS相关的问题吗?
Any idea for making the Set-cookie works properly ? Is it an AngularJS related issue ?
推荐答案
我设法解决了一个非常类似于您的问题。
我的播放!后端尝试设置一个会话Cookie,我不能在Angular中捕获或通过浏览器存储。
I've managed to solve an issue very similar to yours. My Play! backend tried to set a session Cookie which I could not catch in Angular or store via browser.
实际上,该解决方案涉及一点点和一点。 >
Actually the solution involved a bit of this and a bit of that.
假设您已经解决了初始问题,这可以通过添加一个特定的域到Access-Control-Allow-生成并删除通配符,接下来的步骤是:
Assuming you've solved the initial issue, which can be solved only by adding a specific domain to the Access-Control-Allow-Origin and removing the wildcard, the next steps are:
-
您必须从
Set-Cookie标头,否则您永远无法接收由您的角码生成的Cookie
此设置已在Firefox中使用,但不在Chrome中
You have to remove the HTTP-Only from the
Set-Cookieheader, otherwise you will never be able to receive a cookie "generated" by your angular code
This setup will already work in Firefox, though not in Chrome
要使其也适用于Chrome,您需要:
To make it work for Chrome too, you need to:
a)在cookie中从localhost发送不同的域,使用您的WS托管的域。您甚至可以使用 .domain.com 等通配符代替 ws.domain.com
a) send a different domain from localhost in the cookie, using the domain your WS are "hosted". You can even use wildcards like .domain.com instead of ws.domain.com
b)那么您需要调用您在Cookie中指定的域名,否则Chrome不会存储您的Cookie
b) then you'll need to make a call to the domain you specified in the cookie, otherwise Chrome won't store your cookie
[可选]我会删除 / api 路径,以支持 /
[optional] I would remove that /api path in favor of a /
这应该是骗子。
希望得到一些帮助
And that should to the trick.
Hope to have been of some help
这篇关于HTTP头中的Set-Cookie被AngularJS忽略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
