We are planning to support the integration of remote login forms to our application. For this I provide a CORS enabled API call that sets an authentication cookie for our application. The ajax call succeeds and the response contains the cookies, but once I redirect the browser to our application, the cookie is not contained anymore.
我们计划支持将远程登录表单集成到我们的应用程序中。为此,我提供了一个启用CORS的API调用,为我们的应用程序设置身份验证cookie。 ajax调用成功,响应包含cookie,但是一旦我将浏览器重定向到我们的应用程序,cookie就不再包含了。
My setup consists of the login form running on http://myhost/login.html, the API login call is running on http://myapp:8080/login (ASP.net Web Api) and the application itself on http://myapp/app (ASP.net MVC)
我的设置包括在http://myhost/login.html上运行的登录表单,API登录调用在http:// myapp:8080 / login(ASP.net Web Api)上运行,应用程序本身在http:/上运行/ myapp / app(ASP.net MVC)
The ajax call looks like this:
ajax调用如下所示:
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://myapp:8080/login', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onload = function() {
var resp = xhr.responseText;
if(xhr.status == 200) {
document.querySelector('#status').innerHTML = 'Login successful <a href="http://myapp/app">Go to MyApp</a>';
}
else {
document.querySelector('#status').innerHTML = 'Login Failed : ' + xhr.statusText + '<br /><pre>' + xhr.responseText + '</pre>';
}
};
xhr.send(JSON.stringify({ UserName: 'User', Password: 'Pass' }));
And the server responds:
并且服务器响应:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://myhost
Content-Length:0
Date:Fri, 23 Jun 2017 08:49:04 GMT
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:MyAppToken=SecretToken; domain=myapp; path=/
When I directly afterwards investigate on the cookies (Google Chrome), I can see that the cookie was set with the correct domain and content. But upon page reload or redirect to http://myapp/app the cookie is not set anymore and also my planned auto-login is not kicking in.
当我直接调查cookie(谷歌浏览器)后,我可以看到cookie设置了正确的域名和内容。但是在页面重新加载或重定向到http:// myapp / app时,cookie不再被设置,而且我计划的自动登录也没有开始。
Is there something else I need to consider when I want the MyAppToken
to be available on the app after the AJAX call? I do not need access to the MyAppToken
cookie on myhost
it only needs to be available for myapp
to do the login.
当我希望在AJAX调用之后在应用程序上提供MyAppToken时,我还需要考虑其他什么吗?我不需要访问myhost上的MyAppToken cookie,只需要myapp可以登录。
Update (2017-07-19)
With only changing our test environment the system described above is working without problems. It seems likely that certain security constraints are influencing whether the browser transmits the cookie to the target application. Especially the 3rd-party cookie policies mentioned by Dennis C. sounds reasonable.
只改变我们的测试环境,上面描述的系统没有问题。似乎某些安全约束正在影响浏览器是否将cookie传输到目标应用程序。特别是Dennis C.提到的第三方cookie政策听起来很合理。
3 个解决方案
#1
1
The absence of an expiration date means you are creating what is called a session only cookie. Closing your connection to your application could be causing the cookie to be cleared.
没有过期日期意味着您正在创建所谓的仅会话cookie。关闭与应用程序的连接可能导致cookie被清除。
This is created like this:
这是这样创建的:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
Response.Cookies.Add(CrossAuth);
If you want the cookie to persist, try adding an expiration date:
如果您希望cookie保持不变,请尝试添加过期日期:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
CrossAuth.Expires = DateTime.Now.AddHours(3);
Response.Cookies.Add(CrossAuth);
Which should result in a cookie that looks like this:
哪个应该导致cookie看起来像这样:
#2
0
By default, most browser will ignore all 3rd-party cookies unless some P3P policy is given.
默认情况下,除非给出一些P3P策略,否则大多数浏览器将忽略所有第三方cookie。
I suggest you can checkout some other answered question on https://*.com/questions/tagged/p3p?sort=votes
我建议您可以在https://*.com/questions/tagged/p3p?sort=votes上查看其他一些已回答的问题
#3
0
login form running on http://myhost/login.html,
在http://myhost/login.html上运行的登录表单,
the API login call is running on http://myapp:8080/login (ASP.net Web Api)
API登录调用在http:// myapp:8080 / login(ASP.net Web Api)上运行
the application itself on http://myapp/app (ASP.net MVC)
应用程序本身在http:// myapp / app(ASP.net MVC)
In your application using loginform is one domain and api is another domain and your application is another domain.so, the access control is not working
在您的应用程序中使用loginform是一个域而api是另一个域而您的应用程序是另一个域。因此,访问控制不起作用
If ASP net MVC Application if Access-Control-Allow-Origin refer url is
如果ASP net MVC Application如果Access-Control-Allow-Origin参考url是
https://enable-cors.org/server_iis7.html
https://enable-cors.org/server_iis7.html
httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
(*) is used for accept request from any domain. you only accept particular domains the you will check the
(*)用于来自任何域的接受请求。你只接受特定的域名,你会检查
Access-control-allow-origin with multiple domains
具有多个域的Access-control-allow-origin
Access-Control-Allow-Origin: {your api domain name}
Access-Control-Allow-Credentials: true
set the mvc domain request headers.
设置mvc域请求标头。
this Process it's your Code return Server Respons have the vaild cookie in header. this cookie is ajax requested response.it's not stored in domain based cookie storage in web browser. so,we cannot use the after redirect.because, the domain url based only cookies are storing in Web browser
这个过程是你的代码返回Server Respons在标题中有vaild cookie。此cookie是ajax请求的响应。它不存储在Web浏览器中基于域的cookie存储中。所以,我们不能使用后重定向。因为,只有基于cookie的域url存储在Web浏览器中
In another way to save the cookie in your web browser in a same domain it's possible. but the Cross domain cookie Saving it's prossible for the Security Reasons.
另一种方法是将cookie保存在同一域中的Web浏览器中。但是跨域cookie保存它对于安全原因是不可能的。
Refer How to set a cookie for another domain using JavaScript?
请参阅如何使用JavaScript为其他域设置cookie?
so, In this Suitation you can Write the code after getting the Success response.
所以,在此Suitation中,您可以在获得Success响应后编写代码。
1)write the method in mvc Controller and write method with one param.
1)在mvc Controller中编写方法,用一个param写入方法。
2)in html page set the one form with
2)在html页面中设置一个表单
<form id="crossorginpostform" method="post" action="">
<input type="hidden" id="apptoken" name="MyAppToken"/>
</form>
set the cookie value in apptoken field and change the url and javascript based you sumbit the form of your mvc controller method post the cookie and redirect to your required action.
在apptoken字段中设置cookie值,并根据你的mvc控制器方法的形式更新url和javascript,发布cookie并重定向到你需要的操作。
you receive the cookie and reassign the cookie in that domain as you want.
您收到cookie并根据需要在该域中重新分配cookie。
Refer this Link How to set a cookie for another domain
请参阅此链接如何为其他域设置cookie
in this place we are set the cross domain cookie from another domain their using PHP that the same way you set. I Hope this is Helpful for you.
在这个地方,我们使用PHP设置来自另一个域的跨域cookie,与您设置的方式相同。我希望这对你有帮助。
#1
1
The absence of an expiration date means you are creating what is called a session only cookie. Closing your connection to your application could be causing the cookie to be cleared.
没有过期日期意味着您正在创建所谓的仅会话cookie。关闭与应用程序的连接可能导致cookie被清除。
This is created like this:
这是这样创建的:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
Response.Cookies.Add(CrossAuth);
If you want the cookie to persist, try adding an expiration date:
如果您希望cookie保持不变,请尝试添加过期日期:
HttpCookie CrossAuth = new HttpCookie("MyAppToken", "SecretToken");
CrossAuth.Domain = refurl.DnsSafeHost;
CrossAuth.Expires = DateTime.Now.AddHours(3);
Response.Cookies.Add(CrossAuth);
Which should result in a cookie that looks like this:
哪个应该导致cookie看起来像这样:
#2
0
By default, most browser will ignore all 3rd-party cookies unless some P3P policy is given.
默认情况下,除非给出一些P3P策略,否则大多数浏览器将忽略所有第三方cookie。
I suggest you can checkout some other answered question on https://*.com/questions/tagged/p3p?sort=votes
我建议您可以在https://*.com/questions/tagged/p3p?sort=votes上查看其他一些已回答的问题
#3
0
login form running on http://myhost/login.html,
在http://myhost/login.html上运行的登录表单,
the API login call is running on http://myapp:8080/login (ASP.net Web Api)
API登录调用在http:// myapp:8080 / login(ASP.net Web Api)上运行
the application itself on http://myapp/app (ASP.net MVC)
应用程序本身在http:// myapp / app(ASP.net MVC)
In your application using loginform is one domain and api is another domain and your application is another domain.so, the access control is not working
在您的应用程序中使用loginform是一个域而api是另一个域而您的应用程序是另一个域。因此,访问控制不起作用
If ASP net MVC Application if Access-Control-Allow-Origin refer url is
如果ASP net MVC Application如果Access-Control-Allow-Origin参考url是
https://enable-cors.org/server_iis7.html
https://enable-cors.org/server_iis7.html
httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
(*) is used for accept request from any domain. you only accept particular domains the you will check the
(*)用于来自任何域的接受请求。你只接受特定的域名,你会检查
Access-control-allow-origin with multiple domains
具有多个域的Access-control-allow-origin
Access-Control-Allow-Origin: {your api domain name}
Access-Control-Allow-Credentials: true
set the mvc domain request headers.
设置mvc域请求标头。
this Process it's your Code return Server Respons have the vaild cookie in header. this cookie is ajax requested response.it's not stored in domain based cookie storage in web browser. so,we cannot use the after redirect.because, the domain url based only cookies are storing in Web browser
这个过程是你的代码返回Server Respons在标题中有vaild cookie。此cookie是ajax请求的响应。它不存储在Web浏览器中基于域的cookie存储中。所以,我们不能使用后重定向。因为,只有基于cookie的域url存储在Web浏览器中
In another way to save the cookie in your web browser in a same domain it's possible. but the Cross domain cookie Saving it's prossible for the Security Reasons.
另一种方法是将cookie保存在同一域中的Web浏览器中。但是跨域cookie保存它对于安全原因是不可能的。
Refer How to set a cookie for another domain using JavaScript?
请参阅如何使用JavaScript为其他域设置cookie?
so, In this Suitation you can Write the code after getting the Success response.
所以,在此Suitation中,您可以在获得Success响应后编写代码。
1)write the method in mvc Controller and write method with one param.
1)在mvc Controller中编写方法,用一个param写入方法。
2)in html page set the one form with
2)在html页面中设置一个表单
<form id="crossorginpostform" method="post" action="">
<input type="hidden" id="apptoken" name="MyAppToken"/>
</form>
set the cookie value in apptoken field and change the url and javascript based you sumbit the form of your mvc controller method post the cookie and redirect to your required action.
在apptoken字段中设置cookie值,并根据你的mvc控制器方法的形式更新url和javascript,发布cookie并重定向到你需要的操作。
you receive the cookie and reassign the cookie in that domain as you want.
您收到cookie并根据需要在该域中重新分配cookie。
Refer this Link How to set a cookie for another domain
请参阅此链接如何为其他域设置cookie
in this place we are set the cross domain cookie from another domain their using PHP that the same way you set. I Hope this is Helpful for you.
在这个地方,我们使用PHP设置来自另一个域的跨域cookie,与您设置的方式相同。我希望这对你有帮助。