浏览器不保存从CORS请求获取的身份验证cookie

Question

====问题已解决====

下面描述的问题是由于未在基础xhr请求对象上正确设置属性'withCredentials'引起的。我们无法从下面给出的请求和响应的痕迹中看到。

对于Purescript用户：Affjax库的便利函数（put，get等）依赖于defaultRequest对象，该对象将此属性设置为false。

========================

在下面给出的请求和响应方案中，浏览器首先进行身份验证，然后尝试在Couchdb中创建数据库。

原点位于http://127.0.0.1，http://127.0.0.1:5984上的服务器，因此该请求被认为是跨域的。

此操作失败，并显示错误，指示客户端未经过身份验证。但是，就服务器而言，客户端进行了身份验证：它发送一个AuthSession cookie。问题是浏览器不会使用数据库创建请求返回该cookie。实际上，我无法通过任何Chrome界面找到cookie：它没有存储。

我完全不知道为什么。我检查了CORS规范（https://www.w3.org/TR/cors/#resource-sharing-check-0），据我所知，满足了接受cookie的所有要求。请求的原始域是http://127.0.0.1，此域位于Access-Control-Allow-Origin标头的内容中。请求的标头位于Access-Control-Allow-Headers标头的内容中。 Access-Control-Allow-Credentials为“true”。

对COUCHDB的预先认证请求

OPTIONS /_session HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

响应

HTTP/1.1 204 No Content
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: a307303b47
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Length: 0
Access-Control-Max-Age: 600
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Credentials: true

实际认证请求

POST /_session HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Content-Length: 35
Pragma: no-cache
Cache-Control: no-cache
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://127.0.0.1/dist/index.html?user=cor&password=geheim
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

响应

HTTP/1.1 200 OK
Set-Cookie: AuthSession=YWRtaW46NUE5NjY4MTc6DBUWBuYmEGnyuJvrpic7Z6DEiko; Version=1; Path=/; HttpOnly
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Type: application/json
Content-Length: 46
Cache-Control: must-revalidate
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Credentials: true

预先要求在COUCHDB中创建数据库

OPTIONS /_node/couchdb@localhost/_config/admins/cor HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: PUT
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

响应

HTTP/1.1 204 No Content
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: bd94200e3e
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Length: 0
Access-Control-Max-Age: 600
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Credentials: true

实际要求

PUT /_node/couchdb@localhost/_config/admins/cor HTTP/1.1
Host: 127.0.0.1:5984
Connection: keep-alive
Content-Length: 8
Pragma: no-cache
Cache-Control: no-cache
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://127.0.0.1/dist/index.html?user=cor&password=geheim
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

响应

HTTP/1.1 401 Unauthorized
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: 6eabdacc77
Server: CouchDB/2.1.1 (Erlang OTP/19)
Date: Wed, 28 Feb 2018 08:28:07 GMT
Content-Type: application/json
Content-Length: 64
Connection: close
Cache-Control: must-revalidate
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Access-Control-Allow-Origin: http://127.0.0.1
Access-Control-Allow-Credentials: true

Answer 1

下面描述的问题是由于未在基础xhr请求对象上正确设置属性'withCredentials'引起的。我们无法从下面给出的请求和响应的痕迹中看到。

对于Purescript用户：Affjax库的便利函数（put，get等）依赖于defaultRequest对象，该对象将此属性设置为false。

浏览器不保存从CORS请求获取的身份验证cookie

问题描述投票：0回答：1

1个回答

最新问题

浏览器不保存从CORS请求获取的身份验证cookie

问题描述 投票：0回答：1

1个回答

最新问题

问题描述投票：0回答：1