HTTP 请求中的 Angular2 Set-Cookie JSESSIONID
[英]Angular2 Set-Cookie JSESSIONID in HTTP requests
问题描述
I'm using auth0/angular2-jwt library to append the JWT on each request.
我正在使用 auth0/angular2-jwt 库在每个请求上附加 JWT。
I'd like to know how can I also add the JSESSIONID cookie on each request too so I hit the server side session?我想知道如何在每个请求上也添加 JSESSIONID cookie,以便我点击服务器端会话?
Is this a good practice?这是一个好习惯吗?
I've tried this with no success我试过这个没有成功
let myHeader = new Headers();
myHeader.append('SET-COOKIE', 'JSESSIONID=<jsessionid>');
this.authHttp.get(endpoint, {headers: myHeader, withCredentials: true}).map(res => res.json()).subscribe(
jwt => {
...
},err => console.log(err));
2 个解决方案
解决方案1
9 已采纳 2016-11-15 08:41:43
Is it good practice?这是好的做法吗?
No, it is not good practice.不,这不是好的做法。
From the JWT docs:来自 JWT 文档:
In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie.
Reference: https://jwt.io/introduction/https://jwt.io/introduction/参考: https : //jwt.io/introduction/https : //jwt.io/introduction/
JSESSIONID会话ID
You need to know that there are multiple types of cookies stored in browser.您需要知道浏览器中存储了多种类型的 cookie。 Many of them can be accessible from JS code, but some of them are httpOnly .其中许多可以从 JS 代码访问,但其中一些是httpOnly 。 This means that browser is able to append them on every request transparently to the JS code (you will not see the cookie in your code).这意味着浏览器能够将它们透明地附加到 JS 代码的每个请求上(您不会在代码中看到 cookie)。 Default implementation of JSESSIONID on server side is the example of httpOnly cookies.服务器端JSESSIONID默认实现是httpOnly cookie 的示例。 There are multiple security reasons for such kind of design - JS malware on your page will not be able to steal session from the client.这种设计有多种安全原因 - 您页面上的 JS 恶意软件将无法从客户端窃取会话。
Headers标题
myHeader.append('SET-COOKIE', 'JSESSIONID=<jsessionid>');
This is not valid way to pass cookies to server.这不是将 cookie 传递给服务器的有效方式。 This is correct way to send response to client and set cookies on the client.这是向客户端发送响应并在客户端上设置 cookie 的正确方法。 If you want to pass cookies, you can use:如果你想传递cookies,你可以使用:
myHeader.append('Cookies', 'JSESSIONID=<jsessionid>');
Still, this will not work.尽管如此,这还是行不通。 Browser will append its own anyway.无论如何,浏览器都会附加它自己的。 That saying, JSESSIONID should be appended automatically to your requests by the browser.也就是说,浏览器应该自动将JSESSIONID附加到您的请求中。 If this does not work this way, the JSESSIONID cookie is not set in the browser (Check chrome developer tools, you can view cookies in application tab) or you are using remote server - on different port/server/protocol than your app (then the CORS comes in and ruins your app in this case).如果这不起作用,则JSESSIONID cookie 未在浏览器中设置(检查 chrome 开发人员工具,您可以在应用程序选项卡中查看 cookie)或者您使用的是远程服务器 - 与您的应用程序在不同的端口/服务器/协议上(然后在这种情况下,CORS 会进入并破坏您的应用程序)。
解决方案2
0 2020-01-28 09:16:06
Easiest Solution
constructor(public restProvider: RestProvider) { }
intercept(request: HttpRequest<any>, next: HttpHandler):
Observable<HttpEvent<any>> {
if (this.restProvider.getToken() != null) {
const clonedRequest = request.clone({
headers: request.headers.set('X-Requested-With', 'XMLHttpRequest')
});
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.