“尝试通过 Set-cookie 标头设置 cookie 被阻止”问题。 堆栈(ExpressJS、ReactJS、PassportJS)
[英]"Attemp to set a cookie via a Set-cookie header was blocked" Problem. Stack (ExpressJS, ReactJS, PassportJS)
问题描述
I'm implementing Google Authentication with Passport JS.
我正在使用 Passport JS 实现 Google 身份验证。 Everything works fine on localhost, but I have a problem in production.在本地主机上一切正常,但我在生产中遇到了问题。
My backend is deployed on render.com My frontend is deployed on vercel.app我的后端部署在 render.com 我的前端部署在 vercel.app
Cookies are not set on the frontend due to This attempt to set a cookie via a Set-cookie header was blocked because its Domain attribute was invalid with regards to the current host url Cookies 未在前端设置,因为This attempt to set a cookie via a Set-cookie header was blocked because its Domain attribute was invalid with regards to the current host url
Here are my express-session configs:这是我的快速会话配置:
const domain = process.env.DOMAIN;
domain is gotten from render.com environment variables: DOMAIN = review-website-mu.vercel.app域是从 render.com 环境变量中获取的: DOMAIN = review-website-mu.vercel.app
Setting cookies configs programmatically:以编程方式设置 cookies 配置:
if (domain) cookiesConfigs = {
domain: domain,
sameSite: 'none',
secure: false
}
Setting session configs:设置会话配置:
app.use(session({
secret:'review-website',
resave: false,
saveUninitialized: false,
store: new sessionStore({db: 'sessions.db', dir: './'}),
cookie: cookiesConfigs
}));
Here's the problem:这是问题所在:
error while setting cookies设置 cookie 时出错
empty application cookies storage清空应用程序 cookie 存储
How can I fix it and make my app set cookies on the front side?我该如何修复它并让我的应用程序在前端设置 cookie?
The domain name is exactly the same as domain of the front-end, but nevertheless it doesn't work域名和前端domain一模一样,但是还是不行
1 个解决方案
解决方案1
0 2022-12-21 07:12:51
So, after hours researching this question, I came up with the next info:所以,在研究这个问题几个小时后,我想出了下一个信息:
According to the RFC 6265 HTTP State Management Mechanism and exactly 4.1.2.3 "The Domain Attribute":根据RFC 6265 HTTP 状态管理机制和 4.1.2.3“域属性”:
[...] The user agent will reject cookies unless the Domain attribute
specifies a scope for the cookie that would include the origin
server.
[...] For example, the user agent will accept a cookie with a
Domain attribute of "example.com" or of "foo.example.com" from
foo.example.com, but the user agent will not accept a cookie with a
Domain attribute of "bar.example.com" or of "baz.foo.example.com".
[...] NOTE: For security reasons, many user agents are configured to reject
Domain attributes that correspond to "public suffixes".
Firts step was to host my frontend and backend both on the same hosting (render.com) , but that did not work after all.第一步是在同一主机(render.com)上托管我的前端和后端,但这毕竟不起作用。
Firstly, because my front-side and back-side of the application are on different subdomains, and this does not match the quote above.首先,因为我的应用程序的前端和后端在不同的子域上,这与上面的引用不符。 (So it would work, if front-end was mysite.com and backend was api.mysite.com , but not frontend.mysite.com and api.mysite.com ). (所以它会工作,如果前端是mysite.com和后端是api.mysite.com ,但不是frontend.mysite.com和api.mysite.com )。
Secondly, onrender.com is in the Public Suffix List, so you can not set cookies on the site via the domain attribute whether this domain is in that list.其次, onrender.com在公共后缀列表中,因此无论该域是否在该列表中,您都无法通过域属性在站点上设置 cookie。 The solution here would be to buy your own custom domain and set it according to the point I have written above.这里的解决方案是购买您自己的自定义域并根据我上面写的要点进行设置。
Finally, my solution was just to omit the domain attribute in cookies configs, but to leave Samesite: 'none' and Secure attributes.最后,我的解决方案只是省略 cookie 配置中the domain attribute ,但保留Samesite: 'none'和Secure属性。 I still don't see cookies on my front end cookies storage but it works somehow, though.我仍然没有在我的前端 cookie 存储中看到 cookie,但它以某种方式工作。
if (domain) cookiesConfigs = {
sameSite: 'none',
secure: true (or false, it doesn't matter here)
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.