英文:
Angular HttpClient does not send domain cookie
问题
我有一个在angular.example.com上运行的Angular应用程序。API在app.example.com上运行。我从app.example.com获取一个域cookie,该cookie设置在.example.com上,包含一个JWT令牌(根据RFC,该cookie应该在这些域之间可共享:https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.3)。
当请求发送到angular.example.com时,我可以在请求头中看到cookie(由浏览器添加)。Angular应用程序被提供并发出请求到app.example.com以获取一些数据。
我会期望浏览器会将这个cookie随着请求一起发送,但实际上并没有发生。有人可以解释为什么会这样吗?
英文:
I have an Angular app that runs on angular.example.com. The API runs on app.example.com. I get a domain cookie from app.example.com that sets the cookie on .example.com containing a JWT token (the cookie should be shareable between these domains according to RFC: https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.3).
When the request to angular.example.com is sent and I can see the cookie as part of the request headers (added by the browser). The Angular app is served and makes a request to app.example.com to fetch some data.
I would expect that the cookie would be send along with this request by the browser, but it doesn't happen. Can anyone explain why this doesn't happen?
答案1
得分: 15
默认情况下,Angular 中的 XHR 请求不会在每个请求中传递 cookie 信息。这意味着默认情况下,Angular 不会将先前请求中捕获的 Cookie 传递回服务器,从而有效地使用户注销。
并且您的服务器响应必须允许头部 Access-Control-Allow-Credentials。
为了使这个工作,HttpClient 必须设置 withCredentials:
> 跨域资源共享(CORS) - Allow-Origin-With-Credentials
>
> 除了客户端的 withCredentials 头部之外,如果您进行跨域请求,请确保服务器上也设置了 Allow-Origin-With-Credentials 头部。如果未设置此头部,客户端端的 withCredentials 也不会影响跨域调用,导致不会发送 cookies 和授权头部。
let options = new RequestOptions({ headers: headers, withCredentials: true });
this.http.post(this.url, body, options);
英文:
XHR requests in Angular by default do not pass cookie information with each request. What this means is by default Angular doesn't pass Cookies captured on previous requests back to the server which effectively logs out the user.
And your server response must allow headers Access-Control-Allow-Credentials.
In order for that to work the HttpClient has to set the withCredentials:
> CORS - Allow-Origin-With-Credentials
>
> In addition to the client side withCredentials header, if you are going cross domain also make sure that the Allow-Origin-With-Credentials header is set on the server. If this header is not set the client side withCredentials also has no effect on cross-domain calls causing cookies and auth headers to not be sent.
let options = new RequestOptions({ headers: headers, withCredentials: true });
this.http.post(this.url, body , options);
答案2
得分: 13
HTTP默认情况下不会重新发送cookie。您必须启用它,可以在每个请求中使用配置{withCredentials: true},或者创建一个HttpInterceptor来为所有请求添加它。
this.httpclient.get(myUrl, {withCredentials:true})
或者参考:Stackoverflow: Add credentials to every httpClient call
英文:
HTTP does not resend cookies by default. You have to enable it, either per request with the config {withCredentials: true}, or create an HttpInterceptor to add it for all requests.
this.httpclient.get(myUrl, {withCredentials:true})
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论