Cookie 设置到不同的域(Node.js、Angular)
[英]Cookies are set into different domain (Node.js, Angular)
问题描述
I am doing web app using Angular and Node.js (Express) and I have a problem with cookies - they are set into my backend domain instead of my frontend.
我正在使用 Angular 和 Node.js (Express) 开发 Web 应用程序,但我遇到了 cookie 问题——它们被设置到我的后端域而不是我的前端。
When I make a POST request to /auth endpoint , server will return HttpOnly cookies - one is JWT and the second is refresh token.当我向/auth endpoint发出POST request ,服务器将返回 HttpOnly cookie - 一个是 JWT,第二个是刷新令牌。 When I inspect network tab in chrome, I can see that server sent these cookies back, but when I inspect Application > Storage > Cookies, nothing is here.当我在 chrome 中检查网络选项卡时,我可以看到服务器将这些 cookie 发回了,但是当我检查应用程序 > 存储 > Cookies 时,这里什么也没有。
I find out, that cookies are set on my backend domain.我发现,cookie 设置在我的后端域上。 (app-backend.com instead of app.com) They are just simply associated with my backend domain. (app-backend.com而不是app.com)它们只是简单地与我的后端域相关联。
Wierd thing is, that my app is working just fine on my computer, but when I switch to my phone, cookies are not sent from there (I am using iPhone with Safari or Chrome).奇怪的是,我的应用程序在我的计算机上运行得很好,但是当我切换到我的手机时,cookie 不是从那里发送的(我使用 iPhone 和 Safari 或 Chrome)。 Also, when I ran my app on localhost dev server, everything worked aswell.此外,当我在本地主机开发服务器上运行我的应用程序时,一切正常。
I tried to set domain in cookie config to my frontend domain, it is not working at all.我试图将 cookie 配置中的域设置为我的前端域,它根本不起作用。
Also, Chrome warns me with this message, I don't know if it has anything to do with my problem另外,Chrome 用此消息警告我,我不知道它是否与我的问题有关
A cookie associated with a cross-site resource at "my-domain" was set without the
SameSiteattribute.SameSite属性。 A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure.SameSite=None和Secure进行设置,Chrome 的未来版本将仅提供具有跨站点请求的 cookie。 You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032 .
Here is my code on github:这是我在github上的代码:
Frontend: https://github.com/TenPetr/dashboard前端: https : //github.com/TenPetr/dashboard
Backend: https://github.com/TenPetr/dashboard_backend后端: https : //github.com/TenPetr/dashboard_backend
Thanks for your advices.谢谢你的建议。
1 个解决方案
解决方案1
2 2019-12-03 17:48:40
You are setting the SameSite=None; Secure您正在设置SameSite=None; Secure SameSite=None; Secure attributes in your production.json which is correct. SameSite=None; Secure您的production.json中的属性,这是正确的。 However, depending on your version of iOS / Safari you may be hitting an incompatibility issue where the cookies are incorrectly treated as SameSite=Strict .但是,根据您的 iOS / Safari 版本,您可能会遇到不兼容问题,其中 cookie 被错误地视为SameSite=Strict 。
In your development set-up you are both: not setting SameSite=None; Secure在您的开发设置中,您是:不设置SameSite=None; Secure SameSite=None; Secure , and might be using URLs that count as the same site anyway, eg serving on localhost can lead to some weird cookie behaviour. SameSite=None; Secure ,并且可能正在使用算作相同站点的 URL,例如,在localhost提供服务可能会导致一些奇怪的 cookie 行为。
I would try testing your production configuration without the SameSite=None attribute.我会尝试在没有SameSite=None属性的情况下测试您的生产配置。 If this then starts to work on Safari, then you are hitting that bug.如果这随后开始在 Safari 上工作,那么您就遇到了该错误。 You can mitigate this by either setting two versions of the cookie, or adding useragent sniffing.您可以通过设置两个版本的 cookie 或添加用户代理嗅探来缓解这种情况。 There are more details on https://web.dev/samesite-cookie-recipes https://web.dev/samesite-cookie-recipes上有更多详细信息
Alternatively, you may be hitting Safari cookie policy issues if you are attempting to set cookies from the back-end server when it's not a site the user actually visits.或者,如果在后端服务器不是用户实际访问的站点时尝试从后端服务器设置 cookie,您可能会遇到Safari cookie 策略问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.