stackoom
  简体   繁体   中英

Set-Cookie Header Ignored

 原文  2017-02-01 18:24:40       javascript/ angular/ express/ cookies

Question

The csrf cookie sent by my backend seems to be ignored by browsers.

请求和回应

The request is being made via Angular (2) from http://localhost.mydomain.com:4200 like so: 

get() {
  let headers = new Headers({
    'Content-Type'    : 'application/json',
    'withCredentials' : true
  });
  let options = new RequestOptions({headers : headers});
  return this.http.post('https://api.mydomain.com', {
    o : 'csrf',
    m : 'get',
    p : {}
  }, options)
    .map((res: Response) => {
      console.log('response received: ', res)
    })
    .catch((err: any) => {
      console.log('error received: ', err);
      return Observable.throw(err);
    });
}

The request is being received by AWS API Gateway/Lambda running Express 4.x and sent back as: 

res.cookie('csrf', token, {domain : '.mydomain.com'});

Setting cookies on xhr responses should be fine. Because both the request and response are subdomains of mydomain.com I shouldn't need the withCredentials option (though, as shown, I tried sending it anyway). The response is received and the header is there. It's just not being set.

It's being ignored in Chrome, Firefox and IE so I'm sure the problem is I'm missing something obvious :)

1 answers

solution1
 0 ACCPTED  2017-02-01 21:34:45

For anyone that stumbles on this @robertklep and @charliefl were correct (thanks!). The correct way to write my request was: 

get() {
  let headers = new Headers({
    'Content-Type'    : 'application/json'
  });
  let options = new RequestOptions({
    headers : headers,
    withCredentials: true
  });
  return this.http.post('https://api.mydomain.com', {
    o : 'csrf',
    m : 'get',
    p : {}
  }, options)
    .map((res: Response) => {
      console.log('response received: ', res)
    })
    .catch((err: any) => {
      console.log('error received: ', err);
      return Observable.throw(err);
    });
}

In addition, because I was trying to be lazy and use a wildcard in the 'Access-Control-Allow-Origin' on my server I then ran into the error: 

 A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true

If you have multiple domains consuming your API you'll have to set the 'Access-Control-Allow-Origin' dynamically on your server as discussed here and here depending on what domains/subdomains you want to allow.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Set-Cookie in HTTP header is ignored with AngularJS Why is the “Set-Cookie” header ignored with an ajax request? Set-Cookie header not setting cookie in Chrome Why is a set-cookie header being ignored by browser and the cookies not saved from an Ajax call using fetch? Set-Cookie header not being sent set-cookie header in response but not setting in browser set-cookie header not being returned by javascript Set-Cookie header not accepted by javascript fetch Not able to read Set-Cookie response header Unable to access Set-cookie response header and/or cookie request header
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM