xmlhttprequest和set-cookie&曲奇饼 [英] xmlhttprequest and set-cookie & cookie

问题描述

我想我误解了使用xmlhttprequest的cookies的管理。我有一个服务器响应javascript中的 XMLHttpRequest ，我的服务器返回 Allow-Control-Access-Origin Access-Control-Allow-Headers ， Access-Control-Expose-Headers 和

i think i misunderstood the management of cookies with xmlhttprequest. I have a server that response to the XMLHttpRequest made in javascript, my server returns Allow-Control-Access-Origin, Access-Control-Allow-Headers, Access-Control-Expose-Headers and Access-Control-Allow-Credentials headers with the correct value.

我正在做一个摘要在一个服务器使用javascript验证，没有问题，我收到ok的 WWW-Authenticate 头，从服务器，我处理和发送到服务器的授权头与所有的digest-response和一切正常。
问题是，当digest-challenge成功时，我的服务器返回一个Set-Cookie头，我得到它，并添加到我所有的xhr请求的其余部分。
浏览器（使用Chromium和Chrome）不允许我访问标题：

I'm doing a Digest Authenticate in a server with javascript, no problem in that, i receive ok the WWW-Authenticate header from server, i process and send to the server the Authorization header with all the digest-response and everything ok. The problem is, that when the digest-challenge is succesful, my server returns a Set-Cookie Header, i have to get it and add to the rest of all of my xhr request. The browser (using Chromium and Chrome) not let me access to the header doing:

xhr.getResponseHeader("Set-Cookie");

好，在 XMLHTTPREQUEST Level 2 它说：返回响应中的所有头，除了那些字段名为Set-Cookie或Set-Cookie2
好​​，所以我不能接受，但是有什么办法呢？使用Chrome Api的Cookie（目前我不读的注意到它），但我想做一个标准的方式作为可行。
使用：

Ok, in the XMLHTTPREQUEST Level 2 it says: "Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2" Ok, so i cant take it, but what are the ways? Using the Chrome Api for cookies (at the moment i dont read noting about it), but i want to do for a standard manner as posible. With the:

xhr.withCredentials = true;

表示浏览器自动获取set-cookie并发送cookie头

means that the browser automatically get the set-cookie and send in cookie headers??

推荐答案

从CORS规范 http://www.w3.org/TR/cors/#make-a-request-steps ：

每当应用请求步骤时，从原始来源源中提取具有手动重定向标志的请求URL，如果设置了省略凭证标志，则设置块cookie标志。使用方法请求方法，实体主体请求实体主体，包括作者请求标头，如果未设置忽略凭证标志，则包括用户凭据。

Whenever the make a request steps are applied, fetch the request URL from origin source origin with the manual redirect flag set, and the block cookies flag set if the omit credentials flag is set. Use method request method, entity body request entity body, including the author request headers, and include user credentials if the omit credentials flag is unset. Exclude the Referer header if source origin is a globally unique identifier.

如果您正确地说 - 如果您使用 withCredentials 。

As you correctly says - cookies are added by browser if you use withCredentials.

这篇关于xmlhttprequest和set-cookie&曲奇饼的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！