如何从一个域重定向到另一个域并在响应中设置 cookies 或标头？

Question

I am using FastAPI's RedirectResponse and trying to redirect the user from one application (domain) to another with some cookie set, but the cookie always gets deleted. If I try to add some headers, all the headers that I add to the redirect_response are deleted as well.

@router.post("/callback")
async def sso_callback(request: Request):
   jwt_token = generate_token(request)
   redirect_response = RedirectResponse(url="http://192.168.10.1/app/callback", 
                             status_code=303)
   redirect_response.set_cookie(key="accessToken", value=jwt_token, httponly=True)
   redirect_response.headers["Authorized"] = str(jwt_token)
   return redirect_response

How can I solve this? Thanks in advance for the help.

Answer 1

As described in this answer you cannot redirect to another domain with custom headers set, no matter what language or framework you use. A redirection in the HTTP protocol is basically just a header (ie, the Location header) associated with the response, and it doesn't allow for any headers to the target location to be added. When you are adding the Authorized header (which should normally be called 'Authorization' instead) using redirect_response.headers in the code snippet you provided, you are basically setting that header for the response which is instructing the browser/client to redirect, not for the redirect itself. In other words, you are sending that header back to the client .

As for the HTTP cookies , the browser stores the cookies sent by the server with the response (using the Set-Cookie response headers), and later sends the cookies with requests made to the same server inside a Cookie HTTP header. As per the documentation :

The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.

Hence, if this was a redirection from one application (with sub-domain, for example, abc.example.test ) to another (with sub-domain, for example, xyz.example.com ) that both have the same (parent) domain (and cookies have been set for example.test domain), cookies would be succesfully shared between the two applications. The browser will make a cookie available to the given domain including any sub-domains, no matter which protocol (HTTP/HTTPS) or port is used; you can though limit its availability using the domain , path , secure , and httpOnly flags (see here and here ).

However, you cannot set cookies for a different domain . If this was permitted, it would present an enormous security flaw. Hence, since you are "trying to redirect the user from one application (domain) to another with some cookie set,..." , it wouldn't work, as the cookie will only be sent with requests made to the same domain .

Solution

One way to solve this, as described here , is to have domain (application) A redirecting the user to domain (application) B, with the "access token" passed in the URL as a query parameter. Domain B would then read the token and set its own cookie, so that the browser will send that cookie with every subsequent request to domain B. Example is given below.

Please note that you should consider using a secure (HTTPS) communication, so that the token is transfered encrypted. Also, note that having the token in the query string poses a serious security risk , as sensitive data should never be passed in the query string. This is because the query string, which is part of the URL, appears in the address bar of the browser; thus, allowing the user to see and bookmark the URL with the token in it (meaning that it is saved on the disk). Also, the URL will make it to the browsing history , which means it will be written to the disk anyway and appear in the History tab (you can press Ctrl+H to access the browser's history). Both the above would allow attackers (as well as people you share the computer/mobile device/etc. with) to steal such sensitive information. Additionally, many browser plugins/extensions track users' browsing activity—every URL you visit is sent to their servers for analysis, in order to detect malicious websites and provide you with a warning when visiting such sites. Hence, you should take all the above into account when using the approach below (for related posts on this subject, see here , here and here ).

To prevent displaying the URL in the address bar, the approach below uses a redirection on domain B as well. Once domain B receives the request for /submit route with the token in the query parameters of the URL, domain B responds with a redirection to a bare URL with no tokens (ie, its home page). Because of this redirection, the URL with the token in it wouldn't end up in the browsing history. Although this provides some kind of protection against certain attacks described earlier, it doesn't mean that browser extensions/tools/etc. won't still be able to capture the URL with the token in it.

If you are testing this on localhost, you need to give application B a different domain name; otherwise, as mentioned earlier, cookies will be shared between applications having the same domain, and hence, you would end up receiving the cookies set for application A as well, and couldn't tell if the approach is working at all. To do that, you have to edit the /etc/hosts file (on Windows this is located in C:\Windows\System32\drivers\etc ) and assign a domain name to 127.0.0.1 . For example:

127.0.0.1 example.test

You shouldn't add the scheme or port to the domain, as well as shouldn't use common extensions, such as .com , .net , etc., otherwise it may conflict with accessing other websites on the internet.

In app A below, you need to access the home route (ie, / ) in your browser, where you can find and click the submit button to perform a POST request to the /submit route to start the redirection. The only reason for the POST request is because you are using it in your example and I am assuming you have to post some form-data . Otherwise, you could use a GET request as well. In app B, when performing a RedirectResponse from a POST route (ie, /submit ) to a GET route (ie, / ), the response status code has to change to status.HTTP_303_SEE_OTHER , as described here , here and here , and as shown below. App A is listening on port 8000 , while app B is listening on port 8001 (adjust the ports as desired).

appA.py

from fastapi import FastAPI
from fastapi.responses import RedirectResponse, HTMLResponse
import uvicorn

app = FastAPI()

@app.get('/', response_class=HTMLResponse)
def home():
    html_content = """
    <!DOCTYPE html>
    <html>
       <body>
          <h2>Click the "submit" button to be redirected to domain B</h2>
          <form method="POST" action="/submit">
             <input type="submit" value="Submit">
          </form>
       </body>
    </html>
    """
    return HTMLResponse(content=html_content, status_code=200)
        
@app.post("/submit")
def submit():
    token = 'MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3'
    redirect_url = f'http://example.test:8001/submit?token={token}'  
    return RedirectResponse(redirect_url)
 
if __name__ == '__main__':
    uvicorn.run(app, host='0.0.0.0', port=8000)

appB.py

from fastapi import FastAPI, Request, status
from fastapi.responses import RedirectResponse
import uvicorn

app = FastAPI()

@app.get('/')
def home(request: Request):
    token = request.cookies.get('access-token')
    print(token)
    return 'You have been successfully redirected to domain B!' \
           f' Your access token ends with: {token[-4:]}'
 
@app.post("/submit")
def submit(request: Request, token: str):
    redirect_url = request.url_for('home')
    response = RedirectResponse(redirect_url, status_code=status.HTTP_303_SEE_OTHER)
    response.set_cookie(key="access-token", value=token, httponly=True)
    return response
 
if __name__ == '__main__':
    uvicorn.run(app, host='0.0.0.0', port=8001)