从HttpResponseMessage可见的Cookie,但在Javascript中不可见
[英]Cookies visible from HttpResponseMessage but not in Javascript
问题描述
I have a login service which passes user login information to my application when I login. 
我有一个登录服务,当我登录时会将用户登录信息传递给我的应用程序。 This will call first page of my application on successful login. 成功登录后,这将调用我的应用程序的首页。 The user info is passed as part of a cookie in this request. 在此请求中,用户信息作为cookie的一部分传递。
I am trying to read these cookies from the request in my Web API request using the below code. 我正在尝试使用以下代码从Web API请求中的请求中读取这些Cookie。
CookieHeaderValue getAccessUserInfo = request.Headers.GetCookies("GAUSERINFO").FirstOrDefault();
if (getAccessUserInfo != null)
{
userInfo = getAccessUserInfo["GAUSERINFO"].Values.Get("corporate_id");
Logger.Info(string.Format("User Cookie {0}", userInfo));
return userInfo;
}
But if I am trying to read the same cookie from javascript or angular js, I am not able to see that cookie in the collection. 但是,如果我尝试从javascript或angular js中读取相同的cookie,则无法在集合中看到该cookie。 Below is the code I am using to read the cookie in angular js. 以下是我用于读取angular js中的cookie的代码。
console.log($document[0].cookie);
This is the cookie I can see from the result. 这是我从结果中可以看到的cookie。 The cookie I am expecting is GAUSERINFO along with the below cookies. 我期望的cookie是GAUSERINFO和以下cookie。
Is there a way to read these cookies from angular js or atleast pass that request body to the API so that I can read the cookie in my API using C# code. 有没有办法从angular js读取这些cookie或将请求正文至少传递给API,以便我可以使用C#代码读取API中的cookie。
1 个解决方案
解决方案1
6 已采纳 2017-10-27 21:24:59
JavaScript doesn't have access to HTTP only cookies for security reasons. 出于安全原因,JavaScript无法访问仅HTTP cookie。 In order to prevent XSS attacks , generally user session/login information should be HTTP only. 为了防止XSS攻击 ,通常,用户会话/登录信息应仅是HTTP。 If an attacker were to get the user's session information, they could impersonate the user. 如果攻击者要获取用户的会话信息,则他们可能会冒充用户。 If you want to expose user info like corporate_id to the client side, it can be in a separate cookie that is not marked as HttpOnly. 如果要向客户端公开诸如corporate_id之类的用户信息,则可以将其放置在未标记为HttpOnly的单独cookie中。
From MSDN for HttpCookie.HttpOnly : 从MSDN获得HttpCookie.HttpOnly :
Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information.
To use corporate_id client side, create a separate cookie with the only the information you need client side and when you create it in your C# code be sure to set HttpOnly to false. 要使用corporate_id客户端,请仅使用客户端所需的信息创建一个单独的cookie,并且在C#代码中创建时,请确保将HttpOnly设置为false。
Edit: If your use case is to forward the cookie along to your API using Angular's $http service, there's additional configuration you can do for it which is detailed in this answer: https://stackoverflow.com/a/17065576/6950124 编辑:如果您的用例是使用Angular的$ http服务将cookie转发到您的API,则可以为此进行其他配置,请参见此答案: https : //stackoverflow.com/a/17065576/6950124
The summary of it being that you need to set $httpProvider.defaults.withCredentials = true; 其摘要是您需要设置$httpProvider.defaults.withCredentials = true; and potentially also configure your web server to send back the header Access-Control-Allow-Credentials: true when the browser initially requests the page. 并可能还会将您的Web服务器配置为发回标头Access-Control-Allow-Credentials: true当浏览器最初请求该页面时为Access-Control-Allow-Credentials: true 。 This lets the browser know that your JavaScript code can have partial access to the HttpOnly cookies. 这使浏览器知道您的JavaScript代码可以部分访问HttpOnly cookie。
The underlying browser code for making the AJAX call should forward HttpOnly cookies if you have everything configured properly. 如果一切配置正确,则用于进行AJAX调用的基础浏览器代码应转发HttpOnly cookie。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.