邮差不使用cookie [英] Postman is not using cookie
问题描述
我在应用程序开发中一直在使用Postman一段时间,从来没有任何问题。我通常在Google调试我的ASP.NET API代码时使用它。
大约一个月前,我开始遇到Postman似乎并没有问题的问题发送我的网站发布的cookie。通过Fiddler,我检查了我正在对我的API进行的调用,并看到邮差不会发送由我的API应用程序发出的cookie 。这是发送其他饼干,但不是它应该发送的 - 请看下面:
在Cookies下,我确实看到了我发出的Cookie,即 .AspNetCore.mysite_cookie - 见下文:
任何想法为什么会发生这种情况?
PS我认为这个问题是在我对代码进行一些更改以命名我的cookie后开始的。我的API应用程序使用社交身份验证,并决定命名这两个cookie,即一旦用户通过身份验证时我从Facebook / Google / LinkedIn收到的一个cookie,以及我向经过身份验证的用户发出的一个。我称之为从社交网站 social_auth_cookie 获得的cookie,我发出的cookie名为 mysite_cookie 。我认为这与我遇到的这个问题有关。
有问题的cookie无法合法地通过HTTP连接,因为它的安全属性已设置。
由于某些原因, mysite_cookie 的安全属性设置与 social_auth_cookie 不同,您在代码中设置它...
var cookie = new HttpCookie(mysite_cookie,cookieValue);
cookie.Secure = true;
...或者因为服务被配置为自动设置它,例如在 web.config中:
< httpCookies httpOnlyCookies =truerequireSSL =true/>
标志还可能由生产环境中的网络设备(例如SSL卸载设备)设置。但是这在你的开发环境中不太可能。
我建议你尝试使用相同的代码库,但通过https连接。如果您正在处理影响认证机制的代码,那么您确实应该使用SSL设置您的开发环境,否则您将错过很多错误,并且您将无法执行任何有意义的笔测试或应用程序扫描潜在威胁。
I've been using Postman in my app development for some time and never had any issues. I typically use it with Google Chrome while I debug my ASP.NET API code.
About a month or so ago, I started having problems where Postman doesn't seem to send the cookie my site issued.
Through Fiddler, I inspect the call I'm making to my API and see that Postman is NOT sending the cookie issued by my API app. It's sending other cookies but not the one it is supposed to send -- see below:
Under "Cookies", I do see the cookie I issue i.e. .AspNetCore.mysite_cookie -- see below:
Any idea why this might be happening?
P.S. I think this issue started after I made some changes to my code to name my cookie. My API app uses social authentication and I decided to name both cookies i.e. the one I receive from Facebook/Google/LinkedIn once the user is authenticated and the one I issue to authenticated users. I call the cookie I get from social sites social_auth_cookie and the one I issue is named mysite_cookie. I think this has something to do with this issue I'm having.
The cookie in question cannot legally be sent over an HTTP connection because its secure attribute is set.
For some reason, mysite_cookie has its secure attribute set differently from social_auth_cookie, either because you are setting it in code...
var cookie = new HttpCookie("mysite_cookie", cookieValue);
cookie.Secure = true;
...or because the service is configured to automatically set it, e.g. with something like this in web.config:
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
The flag could also potentially set by a network device (e.g. an SSL offloading appliance) in a production environment. But that's not very likely in your dev environment.
I suggest you try to same code base but over an https connection. If you are working on code that affects authentication mechanisms, you really really ought to set up your development environment with SSL anyway, or else you are going to miss a lot of bugs, and you won't be able to perform any meaningful pen testing or app scanning for potential threats.
这篇关于邮差不使用cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
