Cookie不会在IE中更新/覆盖 [英] Cookie not renewing/overwriting in IE
问题描述
我在IE中有一个奇怪的奇怪的cookie。当用户登录到网站时,我将生成一个新的会话ID,因此需要覆盖Cookie。流程基本上是:
- 客户端转到
https://secure.example.com/users/login
页面,自动接收会话ID - 客户端将登录凭据POST到同一地址
-
-cookie标头连同302重新导向至
https://secure.example.com/users/mypage
:
CAKEPHP = deleted; expires = Sun,05-Apr-2009 04:50:35 GMT; path = /
CAKEPHP = 98hnIO23 ...; expires = Mon,12 Apr 2010 04:50:36 GMT; path = /;
-
客户应访问
https://secure.example.com/users/
此工具适用于所有浏览器,除了IE (在7和8中测试)。 IE保留旧的,未经身份验证的会话ID,并重定向回到登录页面。它在我的本地测试环境中工作(使用 https:// localhost:8443 / ...
下的自签名证书),但不在活动服务器上。 p>
我使用CakePHP,只需发出 $ this-> Session-> renew()
任何想法如何让IE接受新的cookie?
以下是完整的标题:
HTTP / 1.0 302 Moved Temporarily
Date:Thu ,08 Apr 2010 02:54:30 GMT
服务器:Apache
到期时间:Mon,26 Jul 1997 05:00:00 GMT
Cache-Control:no-store,no-cache,必须重新验证,检查后= 0,预检查= 0
Pragma:no-cache
P3P:CP =NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM
Set -Cookie:CAKEPHP = deleted; expires = Wed,08-Apr-2009 02:54:30 GMT; path = /
Set-Cookie:CAKEPHP = d55c ...; expires = Thu,15 Apr 2010 02:54:31 GMT; path = /; secure
Last-Modified:Thu,08 Apr 2010 02:54:30 GMT
Location:https://secure.example.com/users/mypage
Vary:Accept-Encoding
Content-Length:0
Connection:close
Content-Type:text / html; charset = utf-8
我想我发现了问题:
IE正在发送两个相同名称的Cookie。这是对服务器的下一个请求:
GET / users / mypage HTTP / 1.1
接受:image / gif, image / jpeg,image / pjpeg,image / pjpeg,application / x-shockwave-flash,application / x-silverlight,* / *
Referer:https://secure.example.com/users/login
Accept-Language:en-gb
User-Agent:Mozilla / 4.0(兼容; MSIE 8.0; Windows NT 5.1; Trident / 4.0; .NET CLR 1.1.4322)
Accept-Encoding:gzip ,deflate
Host:secure.example.com
连接:Keep-Alive
缓存控制:no-cache
Cookie:CAKEPHP = 19c6 ...; CAKEPHP = d55c ...
请注意,它会发送两个Cookie,但也是老的。它在主页 example.com
上接收到旧的,设置为 path = /
。它还将请求发送到 secure.example.com
。它不会被上面的头部替代,而是将它添加为额外的cookie。
确保您的基本域名发布了Cookie。
这可能是问题,因为这种行为在不同的浏览器中是不同的。
我没有在cakephp,但这应该工作
I have a weird quirk with cookies in IE. When a user logs into the site, I'm generating a new session id and hence need to overwrite the cookie. The flow is basically:
- Client goes to
https://secure.example.com/users/login
page, automatically receiving a session id - Client POSTs login credentials to same address
Client receives the following set-cookie headers together with a 302 redirect to
https://secure.example.com/users/mypage
:CAKEPHP=deleted; expires=Sun, 05-Apr-2009 04:50:35 GMT; path=/
CAKEPHP=98hnIO23...; expires=Mon, 12 Apr 2010 04:50:36 GMT; path=/; secureClient is supposed to visit
https://secure.example.com/users/mypage
, presenting the new session id.
This works in all browsers, except IE (tested in 7 & 8). IE retains the old, unauthenticated session id, and is redirected back to the login page. It works on my local test environment (using a self-signed certificate at https://localhost:8443/...
), but not on the live server.
I'm using CakePHP and simply issue a $this->Session->renew()
, which produces the above cookie headers.
Any ideas how to get IE to accept the new cookie?
Here's the complete header:
HTTP/1.0 302 Moved Temporarily
Date: Thu, 08 Apr 2010 02:54:30 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=deleted; expires=Wed, 08-Apr-2009 02:54:30 GMT; path=/
Set-Cookie: CAKEPHP=d55c...; expires=Thu, 15 Apr 2010 02:54:31 GMT; path=/; secure
Last-Modified: Thu, 08 Apr 2010 02:54:30 GMT
Location: https://secure.example.com/users/mypage
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
I think I have found the problem: IE is sending two cookies of identical name. Here's the next request to the server:
GET /users/mypage HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, */ *
Referer: https://secure.example.com/users/login
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)
Accept-Encoding: gzip, deflate
Host: secure.example.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CAKEPHP=19c6...; CAKEPHP=d55c...
Notice that it sends two cookies, the one it received after logging in, but also the old one. It received the old one at the main page example.com
, set with path=/
. It's also sending it for requests to secure.example.com
. It doesn't get replaced by the above header, instead it adds it as additional cookie. How can I stop it from doing that?
Make sure the cookies are emitted for your base domain.
That's v. likely the problem, since this behavior certainly varies in different browsers.
I haven't done it in cakephp, but this should work
这篇关于Cookie不会在IE中更新/覆盖的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!