Chrome在重定向后不会发送Cookie [英] Chrome doesn't send cookies after redirect
问题描述
在node.js中(使用Hapi框架)我为用户创建链接以允许我的应用程序读取用户帐户。 Google处理该请求并询问是否授予权限。然后谷歌使用GET参数作为响应代码重定向到我的服务器,在这里我有一个问题。
谷歌浏览器不会发送带有会话ID的cookie。
如果我在cookie编辑扩展中将该cookie标记为会话cookie,它将被发送。在php中有相同的行为,但php在创建会话时将Cookie标记为会话,所以这不是问题。我正在使用插件hapi-auth-cookie,它会创建会话并处理它的一切。我还将该cookie标记为非HttpOnly的hapi-auth-cookie设置,因为它是第一个区别,我注意到,在检查该PHP会话cookie和node.js中的我时。我对每个重定向都有401错过验证。如果我把光标放在地址栏中并按回车,一切正常,所以这是一个重定向的问题。
我的问题基本上是什么可能导致这种行为。另一方面,我必须提到,firefox在每次请求后都会发送cookie,而不会有任何问题。
重定向后的标头(没有会话的cookie):
{
host:localhost:3000,
connection:keep-alive,
cache-control:max-age = 0,
upgrade-insecure-requests:1,
user-agent:Mozilla / 5.0(Windows NT 6.1; Win64; x64)AppleWebKit / 537.36(KHTML,如Gecko)Chrome / 54.0.2840.99 Safari / 537.36,
x-client-data:CJS2eQHIprbJAQjEtskECKmdygE =,
x-chrome-connected :id = 110052060380026604986,mode = 0,enable_account_consistency = false,
accept:text / html,application / xhtml + xml,application / xml; q = 0.9,image / webp,* / ; q = 0.8,
accept-encoding:gzip,deflate,sdch,br,
accept-language:pl-PL,pl; q = 0.8,en-US ; q = 0.6,en; q = 0.4
}
地址栏(什么工作正常):
{
host:localhost:3000,
connection:keep-alive,
cache-control:max-age = 0,
upgrade-insecure-requests:1,
user-agent:Mozilla / 5.0(Windows NT 6.1; Win64平台; x64)AppleWebKit / 537.36(KHTML,如Gecko)Chrome / 54.0.2840.99 Safari / 537.36,
accept:text / html,application / xhtml + xml,application / xml; q = 0.9,image / webp,* / *; q = 0.8,
accept-encoding:gzip,deflate,sdch,br,
accept-language:pl- PL,pl; q = 0.8,en-US; q = 0.6,en; q = 0.4,
cookie:SESSID = very_long_string
}
pre $const server = new Hapi.Server(
connections:{
state:{
isSameSite:'Lax'
}
}
);
但请认真考虑,默认情况下,您有'Strict'选项,并且在很多情况下您可能不想更改该值。
In node.js (using Hapi framework) I'm creating link for user to allow my app reading user account. Google handles that request and asks about giving permissions. Then Google makes redirect to my server with GET parameter as a response code and here I have an issue.
Google Chrome isn't sending cookie with session ID.
If I mark that cookie as a session cookie in cookie edit extension, it is sent. Same behavior in php, but php marks cookie as session when creating session, so it isn't problem. I'm using plugin hapi-auth-cookie, it creates session and handles everything about it. I also mark that cookie then in hapi-auth-cookie settings as non HttpOnly, because it was first difference, that I have noticed, when inspecting that PHP session cookie and mine in node.js. I have response 401 missing authentication on each redirect. If I place cursor in adress bar and hit enter, everything works fine, so it is an issue with redirect.
My question is basically, what may be causing that behavior. On the other hand I have to mention that firefox sends cookie after each request without any issues.
Headers after redirect (no cookie with session):
{
"host": "localhost:3000",
"connection": "keep-alive",
"cache-control": "max-age=0",
"upgrade-insecure-requests": "1",
"user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
"x-client-data": "CJS2eQHIprbJAQjEtskECKmdygE=",
"x-chrome-connected": "id=110052060380026604986,mode=0,enable_account_consistency=false",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"accept-encoding": "gzip, deflate, sdch, br",
"accept-language": "pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4"
}
Headers after hitting enter in adress bar (what will work fine):
{
"host": "localhost:3000",
"connection": "keep-alive",
"cache-control": "max-age=0",
"upgrade-insecure-requests": "1",
"user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"accept-encoding": "gzip, deflate, sdch, br",
"accept-language": "pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4",
"cookie": "SESSID=very_long_string"
}
This issue is caused by hapi-auth-cookie not dealing yet with isSameSite (new feature of Hapi). We can set it manually, eg.
const server = new Hapi.Server(
connections: {
state: {
isSameSite: 'Lax'
}
}
);
But please consider that, by default you have 'Strict' option, and in many cases you may not want to change that value.
这篇关于Chrome在重定向后不会发送Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
