HttpOnly cookie不是通过请求发送的
[英]HttpOnly cookies not sent by request
问题描述
I want to use HttpOnly cookies and I set it in Java as follows: 
我想使用HttpOnly cookie,我在Java中设置它如下:
...
Cookie accessTokenCookie = new Cookie("token", userToken);
accessTokenCookie.setHttpOnly(true);
accessTokenCookie.setSecure(true);
accessTokenCookie.setPath("/");
response.addCookie(accessTokenCookie);
Cookie refreshTokenCookie = new Cookie("refreshToken", refreshToken);
refreshTokenCookie.setHttpOnly(true);
refreshTokenCookie.setSecure(true);
refreshTokenCookie.setPath("/");
response.addCookie(refreshTokenCookie);
...
I got the client side the response with the cookies, but when I send the next request I do not have the cookies on the request. 我得到了客户端的cookie响应,但是当我发送下一个请求时,我没有请求cookie。 Maybe I miss something, but as I understood, these HttpOnly cookies has to be sent by the browser back on every request (JavaScript does not have access to those cookies) coming to the defined path. 也许我想念一些东西,但据我HttpOnly ,这些HttpOnly cookie必须由浏览器在每次请求(JavaScript无法访问这些cookie)时发送到定义的路径。
I have the following Request Headers: 我有以下请求标题:
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,hu;q=0.6,ro;q=0.4,fr;q=0.2,de;q=0.2
Authorization:Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Connection:keep-alive
Content-Length:35
content-type:text/plain
Host:localhost:8080
Origin:http://localhost:4200
Referer:http://localhost:4200/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36
X-Requested-With:XMLHttpRequest
and the following response headers: 以及以下响应标头:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:4200
Access-Control-Expose-Headers:Access-Control-Allow-Origin, Content-Type, Date, Link, Server, X-Application-Context, X-Total-Count
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:482
Content-Type:application/json;charset=ISO-8859-1
Date:Fri, 03 Feb 2017 13:11:29 GMT
Expires:0
Pragma:no-cache
Set-Cookie:token=eyJhbGciO;Max-Age=10000;path=/;Secure;HttpOnly
Set-Cookie:refreshToken=eyJhb8w;Max-Age=10000;path=/;Secure;HttpOnly
Vary:Origin
Also in the client side I use withCredentials: true in Angular2 and X-Requested-With:XMLHttpRequest as request header. 同样在客户端,我使用withCredentials: true在Angular2中使用withCredentials: true在X-Requested-With:XMLHttpRequest作为请求头。
And it is Cross Domain. 它是Cross Domain。
1 个解决方案
解决方案1
4 已采纳 2017-02-03 06:58:17
Yes you are correct having the cookie your browser should send the cookie automatically while it is not expired and the httpOnly flag means it cannot be accessed or manipulated via JavaScript. 是的,你正确拥有cookie,你的浏览器应该在它没有过期时自动发送cookie,而httpOnly标志意味着它无法通过JavaScript访问或操作。
However 然而
You need to ensure that the cookie you are sending is not cross domain, if you require it cross domain you will need to handle it differently. 您需要确保您发送的cookie不是跨域,如果您需要跨域,则需要以不同方式处理它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.