我有两个WebApp1和WebApp2在两个不同的域。
我在WebApp1的HttpResponse中设置了一个cookie。 如何从WebApp2中的HttpRequest读取相同的cookie ?
我知道这听起来很奇怪,因为cookie是特定于给定域的,我们不能从不同的域访问它们;不过我听说过跨域cookie,它可以在多个web应用程序之间共享。如何使用跨域cookie实现这一需求?
注意:我正在尝试使用J2EE web应用程序
当前回答
您不能跨域共享cookie。但是,您可以允许所有子域具有访问权限。若要允许example.com的所有子域具有访问权限,请将域设置为.example.com。
这是不可能的。例如访问example.com的cookie。
其他回答
不允许跨域cookie(即站点A不能在站点B上设置cookie)。
但是一旦站点a设置了cookie,您甚至可以在从站点B到站点a的请求中发送该cookie(即跨域请求):
来自不同域的XMLHttpRequest不能为自己的域设置cookie值,除非在发出请求之前将withCredentials设置为true。通过将withCredentials设置为true获得的第三方cookie仍然遵循同源策略,因此请求脚本无法通过文档访问。Cookie或响应头。
一定要做到以下几点:
When setting the cookie in a response The Set-Cookie response header includes SameSite=None if the requests are cross-site (note a request from www.example.dev to static.example.dev is actually a same-site request, and can use SameSite=Strict) The Set-Cookie response header should include the Secure attribute if served over HTTPS; as seen here and here When sending/receiving the cookie: The request is made with withCredentials: true, as mentioned in other answers here and here, including the original request whose response sets the cookie set in the first place For the fetch API, this attribute is credentials: 'include', vs withCredentials: true For jQuery's ajax method, note you may need to supply argument crossDomain: true The server response includes cross-origin headers like Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, and Access-Control-Allow-Methods As @nabrown points out: "Note that the "Access-Control-Allow-Origin" cannot be the wildcard (*) value if you use the withCredentials: true" (see @nabrown's comment which explains one workaround for this. In general: Your browser hasn't disabled 3rd-party cookies. (* see below)
你不需要的东西(使用上面的):
domain attribute in the Set-Cookie; you can choose a root domain (i.e. a.example.com can set a cookie with a domain value of example.com, but it's not necessary; the cookie will still be sent to a.example.com, even if sent from b.other-site.example For the cookie to be visible in Chrome Dev Tools, "Application" tab; if the value of cookie HttpOnly attribute is true, Chrome won't show you the cookie value in the Application tab (it should show the cookie value when set in the initial request, and sent in subsequent responses where withCredentials: true)
注意Cookie中“路径”和“站点”之间的区别。“path”与安全无关;“site”与安全相关:
path
服务器可以在set - cookie中设置Path属性,但这似乎与安全无关:
注意,该路径用于性能,而不是安全性。具有相同来源的网页仍然可以通过文档访问cookie。Cookie,即使路径不匹配。
site
根据example.dev文章,SameSite属性可以限制或允许跨站点cookie;但是什么是“站点”呢?
准确理解“site”在这里的意思是很有帮助的。网站是域名后缀和域名前面的部分的组合。例如,www.example.dev域是example.dev站点的一部分…
这意味着从www.example.dev到static.example.dev的请求是一个sameSite请求(url的唯一区别在于子域)。
公共后缀列表定义了这个,所以 它不只是像。com这样的顶级域名,还包括服务 像github.io
这意味着对your-project.github的请求。IO来自my-project.github。io,是一个跨站点请求(这些url在不同的域,因为github。IO是域后缀;你的项目和我的项目的领域是不同的;因此不同的网站)
这意味着public后缀的左边;是子域(但子域是主机的一部分;请看这个答案中的奖金回复)
WWW是www.example.dev的子域;与static.example.dev相同的站点 Your-project是Your-project .github.io中的域;单独的网站my-project.github.io
在这个URL https://www.example.com:8888/examples/index.html中,请记住以下部分:
“协议”:https:// “方案”:HTTPS “端口”:8888 “域名”也就是位置。主机名:www.example.com “域名后缀”即“顶级域名”(TLD): com domain:示例 “子域”:WWW(子域可以是单层的(如WWW),也可以是多层的(如foo。Bar in foo.bar.example.com) “站点”(即“跨站点”,如果另一个URL具有不同的“站点”值):example.com "site" = "域名" + "域名后缀" = example.com 路径:/examples/index.html
有用的链接:
URL的剖析 同源cookie策略和URL剖析 SameSite cookies解释道 安全的跨域cookie的HTTP |互联网服务和应用期刊|全文 draft-ietf-httpbis-rfc6265bis-03 Web安全1:同源和Cookie策略 Set-Cookie - HTTP | MDN
(小心;我在Chrome隐身标签测试我的功能;根据我的chrome://设置/cookies;我的设置是“Incognito屏蔽第三方cookie”,所以我不能在Incognito中测试跨站点cookie。)
function GetOrder(status, filter) {
var isValid = true; //isValidGuid(customerId);
if (isValid) {
var refundhtmlstr = '';
//varsURL = ApiPath + '/api/Orders/Customer/' + customerId + '?status=' + status + '&filter=' + filter;
varsURL = ApiPath + '/api/Orders/Customer?status=' + status + '&filter=' + filter;
$.ajax({
type: "GET",
//url: ApiPath + '/api/Orders/Customer/' + customerId + '?status=' + status + '&filter=' + filter,
url: ApiPath + '/api/Orders/Customer?status=' + status + '&filter=' + filter,
dataType: "json",
crossDomain: true,
xhrFields: {
withCredentials: true
},
success: function (data) {
var htmlStr = '';
if (data == null || data.Count === 0) {
htmlStr = '<div class="card"><div class="card-header">Bu kriterlere uygun sipariş bulunamadı.</div></div>';
}
else {
$('#ReturnPolicyBtnUrl').attr('href', data.ReturnPolicyBtnUrl);
var groupedData = data.OrderDto.sort(function (x, y) {
return new Date(y.OrderDate) - new Date(x.OrderDate);
});
groupedData = _.groupBy(data.OrderDto, function (d) { return toMonthStr(d.OrderDate) });
localStorage['orderData'] = JSON.stringify(data.OrderDto);
$.each(groupedData, function (key, val) {
var sortedData = groupedData[key].sort(function (x, y) {
return new Date(y.OrderDate) - new Date(x.OrderDate);
});
htmlStr += '<div class="card-header">' + key + '</div>';
$.each(sortedData, function (keyitem, valitem) {
//Date Convertions
if (valitem.StatusDesc != null) {
valitem.StatusDesc = valitem.StatusDesc;
}
var date = valitem.OrderDate;
date = date.substring(0, 10).split('-');
date = date[2] + '.' + date[1] + '.' + date[0];
htmlStr += '<div class="col-lg-12 col-md-12 col-xs-12 col-sm-12 card-item clearfix ">' +
//'<div class="card-item-head"><span class="order-head">Sipariş No: <a href="ViewOrderDetails.html?CustomerId=' + customerId + '&OrderNo=' + valitem.OrderNumber + '" >' + valitem.OrderNumber + '</a></span><span class="order-date">' + date + '</span></div>' +
'<div class="card-item-head"><span class="order-head">Sipariş No: <a href="ViewOrderDetails.html?OrderNo=' + valitem.OrderNumber + '" >' + valitem.OrderNumber + '</a></span><span class="order-date">' + date + '</span></div>' +
'<div class="card-item-head-desc">' + valitem.StatusDesc + '</div>' +
'<div class="card-item-body">' +
'<div class="slider responsive">';
var i = 0;
$.each(valitem.ItemList, function (keylineitem, vallineitem) {
var imageUrl = vallineitem.ProductImageUrl.replace('{size}', 200);
htmlStr += '<div><img src="' + imageUrl + '" alt="' + vallineitem.ProductName + '"><span class="img-desc">' + ProductNameStr(vallineitem.ProductName) + '</span></div>';
i++;
});
htmlStr += '</div>' +
'</div>' +
'</div>';
});
});
$.each(data.OrderDto, function (key, value) {
if (value.IsSAPMigrationflag === true) {
refundhtmlstr = '<div class="notify-reason"><span class="note"><B>Notification : </B> Geçmiş siparişleriniz yükleniyor. Lütfen kısa bir süre sonra tekrar kontrol ediniz. Teşekkürler. </span></div>';
}
});
}
$('#orders').html(htmlStr);
$("#notification").html(refundhtmlstr);
ApplySlide();
},
error: function () {
console.log("System Failure");
}
});
}
}
. config
包括UI原点和设置允许凭据为真
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://burada.com" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
没有所谓的跨域cookie。您可以在foo.example.com和bar.example.com之间共享cookie,但绝不可以在example.com和example2.com之间共享cookie,这是出于安全原因。
因为很难做第三方cookie,也有些浏览器不允许这样做。
你可以尝试将它们存储在HTML5本地存储中,然后将它们与前端应用程序的每个请求一起发送。
您不能跨域共享cookie。但是,您可以允许所有子域具有访问权限。若要允许example.com的所有子域具有访问权限,请将域设置为.example.com。
这是不可能的。例如访问example.com的cookie。
推荐文章
- HttpOnly cookie如何与AJAX请求一起工作?
- VS2013外部构建错误"error MSB4019: The imported project <path> was not found"
- getJSON调用中的错误处理
- 如何唯一地识别访问我网站的计算机?
- 正确的方式删除cookies服务器端
- 使用jQuery创建、读取和删除cookie
- Chrome不会删除会话cookie
- 令牌身份验证vs. cookie
- 如何为其他域设置cookie
- JWT vs cookie用于基于令牌的身份验证
- 设置cookie永不过期
- 为跨源请求设置cookie
- cookie与会话
- 我如何解决“HTTP错误500.19 -内部服务器错误”在IIS7.0
- SameSite警告Chrome 77
