Authentication Cors集COOKIE头
由Daniel W.回答Authentication Cors集COOKIE头,authentication,cross-domain,setcookie,samesite,Authentication,Cross Domain,Setcookie,Samesite,由Daniel W.回答 My mistake was that I was calling a HTTP server endpoint instead of it's HTTPS version. 其他问题都涉及到同一个主题,但这个问题在所有尝试之后都没有得到解决 我的问题: Set-Cookie: .AspNetCore.Cookies=SomeCookieHere; expires=Sun, 10 Sep 2022 14:12:52 GMT; path=/; secure; s
My mistake was that I was calling a HTTP server endpoint instead of it's HTTPS version.
其他问题都涉及到同一个主题,但这个问题在所有尝试之后都没有得到解决
我的问题:
Set-Cookie: .AspNetCore.Cookies=SomeCookieHere; expires=Sun, 10 Sep 2022 14:12:52 GMT; path=/; secure; samesite=none; httponly
$.post({
xhrFields: {
withCredentials: true
},
crossDomain: true,
type: 'POST',
url: 'http://localhost:8000/home/login',
data: {"userName":"userName","password":"password"},
contentType: "application/x-www-form-urlencoded",
dataType: "text/html",
success: function(data) {}
});
authBuilder.AddCookie(options =>
{
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.LoginPath = new PathString("/");
})
我无法从第二个JS客户端登录:
- https://localhost:4433 工作正常(SET-COOKIE头存在且COOKIE已设置)
- https://localhost 不工作(存在SET-COOKIE标头,但未设置COOKIE)
Set-Cookie: .AspNetCore.Cookies=SomeCookieHere; expires=Sun, 10 Sep 2022 14:12:52 GMT; path=/; secure; samesite=none; httponly
$.post({
xhrFields: {
withCredentials: true
},
crossDomain: true,
type: 'POST',
url: 'http://localhost:8000/home/login',
data: {"userName":"userName","password":"password"},
contentType: "application/x-www-form-urlencoded",
dataType: "text/html",
success: function(data) {}
});
authBuilder.AddCookie(options =>
{
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.LoginPath = new PathString("/");
})
http://localhost:8000/home/login
响应标题:
Set-Cookie: .AspNetCore.Cookies=SomeCookieHere; expires=Sun, 10 Sep 2022 14:12:52 GMT; path=/; secure; samesite=none; httponly
$.post({
xhrFields: {
withCredentials: true
},
crossDomain: true,
type: 'POST',
url: 'http://localhost:8000/home/login',
data: {"userName":"userName","password":"password"},
contentType: "application/x-www-form-urlencoded",
dataType: "text/html",
success: function(data) {}
});
authBuilder.AddCookie(options =>
{
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.LoginPath = new PathString("/");
})
JavaScript:
Set-Cookie: .AspNetCore.Cookies=SomeCookieHere; expires=Sun, 10 Sep 2022 14:12:52 GMT; path=/; secure; samesite=none; httponly
$.post({
xhrFields: {
withCredentials: true
},
crossDomain: true,
type: 'POST',
url: 'http://localhost:8000/home/login',
data: {"userName":"userName","password":"password"},
contentType: "application/x-www-form-urlencoded",
dataType: "text/html",
success: function(data) {}
});
authBuilder.AddCookie(options =>
{
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.LoginPath = new PathString("/");
})
C#:
Set-Cookie: .AspNetCore.Cookies=SomeCookieHere; expires=Sun, 10 Sep 2022 14:12:52 GMT; path=/; secure; samesite=none; httponly
$.post({
xhrFields: {
withCredentials: true
},
crossDomain: true,
type: 'POST',
url: 'http://localhost:8000/home/login',
data: {"userName":"userName","password":"password"},
contentType: "application/x-www-form-urlencoded",
dataType: "text/html",
success: function(data) {}
});
authBuilder.AddCookie(options =>
{
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.LoginPath = new PathString("/");
})
无法在非安全上下文中设置安全cookie: 具有安全属性的cookie仅通过HTTPS协议通过加密请求发送到服务器,而不使用不安全的HTTP,因此中间人攻击者无法轻松访问。不安全的站点(URL中有http:)无法使用Secure属性设置cookie
在JS中,您有
http://localhost:8000/
。请解释问题中3个目标之间的差异。您从哪个站点执行ajax请求,从哪个站点发送cookie?Daniel,-服务器:-客户端1:是ASP Vue客户端,工作正常-客户端2:-简单的JS客户端,不工作如果关闭端口4433上的服务器并在端口443上重新启动它,它将工作。没有与我尝试根据HTTP服务器终结点验证HTTPS客户端相关的警告。但这解决了我的问题。使用HTTPS版本的端点是有效的。我在这件事上浪费了太多时间。@profimedica我不知道ASP,但你可以删除这个options.Cookie.SecurePolicy=CookieSecurePolicy.Always代码>在开发时,或者在本地安装证书并使用https。我已将开发证书和安全策略设置为“无”,如cookie所示:安全;samesite=无;httponly@profimedicacookie中的属性secure
源自options.cookie.SecurePolicy=CookieSecurePolicy.Always代码>