[英]Set-Cookie header not creating cookie in test environment
I have a local testing application mimicking the host test.mywebsite.com
on port 4200.我有一个本地测试应用程序模仿端口 4200 上的主机
test.mywebsite.com
。
It makes a call to api.test.mywebsite.com
(also locally hosted) to /login
它调用
api.test.mywebsite.com
(也是本地托管)到/login
The request passes, the server returns 200 and some information, and along with it it sets this header which I see in the response headers:请求通过,服务器返回 200 和一些信息,并随之设置此 header,我在响应标头中看到:
Set-Cookie: refreshToken={JWT here}; expires=Sun, 23-May-2021 20:38:32 GMT; Max-Age=1296000; path=/; domain=.test.mywebsite.com; HttpOnly
This doesn't get stored in my browser (either Chrome or Firefox) and I'm trying to figure out why.这不会存储在我的浏览器(Chrome 或 Firefox)中,我正试图找出原因。
Here's some more information about my setup if needed: Angular server using ng serve --host=test.mywebsite.com
to get the test frontend up on http://test.mywebsite.com:4200
Here's some more information about my setup if needed: Angular server using
ng serve --host=test.mywebsite.com
to get the test frontend up on http://test.mywebsite.com:4200
Kubernetes backend running on localhost
(with my hosts file redirecting api.test.mywebsite.com
to 127.0.0.1
) which directs the request to a PHP pod that creates the cookie using this code: Kubernetes backend running on
localhost
(with my hosts file redirecting api.test.mywebsite.com
to 127.0.0.1
) which directs the request to a PHP pod that creates the cookie using this code:
setcookie(
"refreshToken", // name
$refreshJWT->token, // token
$refreshJWT->expiration, // expires in 15 days
'/', // path
".".$refreshJWT->domain, // domain
($refreshJWT->environmentType === "test") ? false : true, // security
true // httponly
);
I fear it's something painfully simple or an oversight somewhere, but can't for the life of me find out what.我担心这是一件非常简单的事情或某个地方的疏忽,但我一生都无法找出是什么。 The only thing I can think of would be the port not matching with the cookie host, but as far as I know cookie domains are port-agnostic.
我唯一能想到的就是与 cookie 主机不匹配的端口,但据我所知,cookie 域与端口无关。 I've tried adding
:4200
to the end of the cookie domain anyway and still have the same problem.无论如何,我已经尝试将
:4200
添加到 cookie 域的末尾,但仍然遇到同样的问题。
Update: setcookie() returns true, so there's no output previous to setting the header.更新:setcookie() 返回 true,因此在设置 header 之前没有 output。
Update2: I deployed it to a staging server and the problem still occurs despite no DNS trickery or proxies going on.更新 2:我将它部署到临时服务器,尽管没有 DNS 欺骗或代理发生,问题仍然存在。
Update3: I've narrowed it down to a combination of my api server's Access-Control-Allow-Origin
header, and my JS' use of withCredentials
My Access-Control-Allow-Origin
is set to *
. Update3:我已将其范围缩小为 api 服务器的
Access-Control-Allow-Origin
header 和我的 JS 使用withCredentials
我的Access-Control-Allow-Origin
设置为*
的组合。 If I send the request withCredentials
as false
, it returns the body to the JS but refuses the cookie.如果我将请求
withCredentials
作为false
发送,它会将正文返回给 JS,但拒绝 cookie。 If I set withCredentials
to true, it sets the cookie but refuses to allow the JS to read the body.如果我将
withCredentials
设置为 true,它会设置 cookie 但拒绝让 JS 读取正文。
It makes a call to api.test.mywebsite.com
它调用 api.test.mywebsite.com
... ...
domain=.test.mywebsite.com
域=.test.mywebsite.com
These need to be the same hostname这些必须是相同的主机名
I found out the reason, for anyone who may be stumbling on this:我找到了原因,对于任何可能会遇到这个问题的人:
The first problems was while my requests were going through and returning 200, the cookie was not being set because I didn't agree to receive a cookie on the frontend.第一个问题是当我的请求通过并返回 200 时,没有设置 cookie,因为我不同意在前端接收 cookie。 To agree to cookies on the frontend, I had to use withCredentials .
为了同意前端的 cookies,我不得不使用withCredentials 。
The second problem was on the backend, I didn't explicitly send the header Access-Control-Allow-Credentials This would allow both front and backend to agree to a cookie exchange.第二个问题是在后端,我没有明确发送 header Access-Control-Allow-Credentials这将允许前端和后端都同意 cookie 交换。
The third problem was my backend had a wildcard set for Access-Control-Allow-Origin , which my browser requires to match the current host exactly if withCredentials
is used.第三个问题是我的后端为Access-Control-Allow-Origin设置了通配符,如果使用
withCredentials
,我的浏览器需要它与当前主机完全匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.