如何设置webSocket JavaScript的Cookie标头?
[英]How to set cookie header for webSocket javascript?
问题描述
I am trying to open a websocket to a server with kerberos authentication, error during handshake occurs (error code : 400) ; 
我正在尝试使用kerberos身份验证打开服务器的websocket,握手期间发生错误(错误代码:400); i saw it's not possible to send credentials through web socket and what i have to do is to set the username and password through web socket cookie and the server will read them. 我看到不可能通过Web套接字发送凭据,而我要做的是通过Web套接字Cookie设置用户名和密码,服务器将读取它们。 So how can i set cookies for web socket ? 那么,如何为Web套接字设置cookie? thank you, 谢谢,
2 个解决方案
解决方案1
0 2017-04-05 17:55:44
You can set cookies for a webSocket connection the same way you set regular cookies, with document.cookie = xxxx . 您可以使用设置常规cookie的相同方式为webSocket连接设置cookie,即document.cookie = xxxx 。 All webSocket connections start with an HTTP request (with an upgrade header on it) and the cookies for the domain you are connecting to will be sent with that initial HTTP request to open the webSocket. 所有的webSocket连接都以HTTP请求(带有升级头)开头,并且要连接的域的cookie将与该初始HTTP请求一起发送,以打开webSocket。
So, as long as you are doing the webSocket connection to the same domain as your web page, then you can just set a cookie for that web page and it will be sent with the webSocket connection request. 因此,只要您将webSocket连接到与您的网页相同的域,就可以为该网页设置一个cookie,它将随webSocket连接请求一起发送。 And, as with other cookies, you set a cookie using document.cookie as described here on MDN . 并且,与其他cookie一样,您可以使用MDN上所述的document.cookie来设置cookie。
解决方案2
0 2018-07-22 18:38:58
It depends on the browser. 这取决于浏览器。 You may implement handling cookies if they arrive with the initial HTTP request to initiate a WebSocket connection, but if you can't require your users to, say, use Safari, which sends cookies with WebSocket open requests, and not Chrome, which does not, you'll probably have to implement a mechanism for the client to send in the session identifier in-band. 如果cookie与初始HTTP请求一起启动WebSocket连接时到达,则可以实现处理cookie,但是如果您不能要求用户使用Safari(Safari会发送带有WebSocket打开请求的cookie,而不是Chrome,Chrome不会发送) ,您可能必须实现一种机制,以便客户端在带内发送会话标识符。
One simple way to achieve this is for the client code to send in the session identifier as the first message in response to the open event, and the server code to interpret the first incoming message's content as the session cookie, to set up the appropriate privilege context (or perhaps close the connection if the cookie is unknown or otherwise grants no privileges to its bearer). 一种简单的实现方法是,客户端代码响应open事件将会话标识符作为第一条消息发送,而服务器代码将第一条传入消息的内容解释为会话cookie,以设置适当的特权上下文(如果cookie未知,或者如果不对其承载不授予任何特权,则可能关闭连接)。
Alternatively, if your WebSocket protocol has some sort of structured message infrastructure, you may define a specific message type for passing a session cookie to the server, as well as a matching response type for the server to let the client know what it thinks of the cookie. 另外,如果您的WebSocket协议具有某种结构化的消息基础结构,则可以定义用于将会话cookie传递到服务器的特定消息类型,以及服务器的匹配响应类型,以使客户端知道其对服务器的想法。曲奇饼。
It may be tempting to pass the session cookie in an URI parameter, as in ws://example.com/service?SESSION=123456 . 如ws://example.com/service?SESSION=123456 ,可能很想在URI参数中传递会话cookie。 This can be adequate in prototyping, but it is probably ill-advised in production, since session cookies should generally be treated as more sensitive than it is customary to treat the list of URIs requested from a web server. 这在原型制作中就足够了,但在生产中可能不建议这样做,因为通常应将会话cookie视为比处理从Web服务器请求的URI列表习惯的更为敏感。 Passing session cookies in such a way can work in the short term, but may increase the risk of their accidental exposure via, say, careless analytics techniques. 以这种方式传递会话Cookie可以在短期内起作用,但可能会通过诸如粗心的分析技术而增加意外暴露的风险。 This concern could in some other context be alleviated by passing the sensitive identifier in the body of the request (for example, as a so-called POST parameter), but WebSocket open requests can not have a non-empty body. 在其他情况下,可以通过在请求的正文中传递敏感标识符(例如,作为所谓的POST参数)来缓解此问题,但WebSocket打开请求不能具有非空正文。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.