英文:
Session cookie is being dropped, but for only one link on one page
问题
我维护一个外部客户的电子商务购物网站(或“购物车”)。他们在不同域上拥有自己的独立网站,位于自己的服务器上。他们的网站链接到我们的购物车,以新标签或窗口打开它(链接中的target=" _blank")。当点击位于他们网站上并指向我们购物车的链接时,之前设置的我们购物车的会话cookie不包括在HTTP请求中。
如果您登录我们的购物车,然后导航到任何其他网站并返回,cookie仍然设置在我们的购物车中,您仍然登录。如果您导航到他们的网站(但不点击链接到我们网站的链接),然后导航回我们的购物车,您仍然登录。如果我从他们网站上的链接中复制URL并粘贴到浏览器的地址栏中,cookie仍然设置,您仍然登录。如果我在任何其他页面上点击相同的链接(或不同链接但具有相同的URL),cookie仍然设置,您仍然登录。
就我目前所看到的情况来看,只有当客户的网站上的那个链接在那个页面上被点击时,cookie才不包括在请求中。
由于似乎仅限于客户外部网站上的该链接,我最好的理论是该页面所带的HTTP标头中的某些内容指示浏览器不要在通过点击该页面上的链接启动的HTTP请求中包括cookie。响应中包括的标头似乎相当标准(日期、缓存控制、etag、age、x-served-by、x-cache、vary、server-timing、set-cookie、x-seen-by、alt-svc和X-Firefox-Spdy),其中似乎没有任何内容表明“不要尊重从这里链接到的站点的cookie”。
该cookie设置了HttpOnly属性,因此浏览器不应该能够看到或操作它。
客户外部网站的服务器正在提供HTTP/2,而我们的服务器正在提供HTTP/1.1。我对协议版本之间的差异的研究尚未找到任何原因可以解释为什么会发生这种情况,但我之所以提到这一点,仅因为我对为什么会发生这种情况毫无解释。
关于为什么我们购物车的cookie不会随请求发送到我们购物车的问题,只有当请求是通过点击那个页面上的那个链接产生时,或者我可以在这边做什么来修复它,或者我可以让客户在他们那边做什么来修复它,是否有任何想法?
谢谢。
英文:
I maintain an e-commerce shopping site (or "cart") for an external client. They have their own separate web site on their own server on a different domain. Their site links to our cart, opening it in a new tab or window (with target="_blank" in the link). When clicking on a link that is on their site, and pointing to our cart, any previously set session cookies for our cart are not included in the HTTP request.
If you log into our cart, then navigate to any other site and come back, the cookie is still set in our cart and you are still logged in. If you navigate to their site (but don't click on the link to our site) and then navigate back to our cart, you are still logged in. If I copy the URL from the link on their site and paste it into the browser's location bar, the cookie is still set and you are still logged in. If I click the same link on any other page (or a different link but with the same URL), the cookie is still set and you are still logged in.
It is only -- as far as I can see so far -- when exactly that link is clicked on exactly that page on the client's site that the cookie is not included in the request.
Since it seems to be specific to that link on that page on the client's external site, my best theory was that something in the HTTP headers that came with that page was instructing the browser not to include cookies in HTTP requests that are initiated by clicking links on that page. The headers included in the response seem to be fairly standard (date, cache-control, etag, age, x-served-by, x-cache, vary, server-timing,
set-cookie, x-seen-by, alt-svc, and X-Firefox-Spdy) and nothing among seems to say "Don't respect cookies for sites linked to from here."
The cookie has the HttpOnly attribute set, so should not be visible or manipulable by the browser.
The server for the client's external site is serving HTTP/2, while our server is serving HTTP/1.1. My research on the differences between the protocol versions has not yet turned up any reason why that should be a factor, but I mention it only because I am otherwise so bereft of explanations for why this is happening.
Any ideas on why the cookie for our cart is not being sent with requests to our cart, but only if the request was the result of clicking that one link on that one page, or what I can do to fix it on this end, or what I can get the client to change on their end?
Thank you.
答案1
得分: 1
您可能正在经历由于未将"samesite"cookie属性设置为适合您情况的正确值而导致的结果。
当您希望在跨站点的POST/GET操作中包括cookie时,您必须同时设置"samesite=none"和"secure"属性。
像这样:
Set-Cookie:SessionCookie=xxxxxxxxxx; SameSite=None; Secure
此外,您必须使用HTTPS。
如果不进行设置,cookie将仅包含在安全的GET请求中,而不包括在跨站点的POST请求中(lax模式)。
为了补充这个答案,我写了一篇关于这个主题更详细的博客文章:调试cookie问题
英文:
You are probably experiencing the result of not setting the samesite cookie attribute to the correct value for your situation.
When you want to include cookies in both POST/GET operations across sites, you must set both samesite=none and the secure attribute.
Like this:
Set-Cookie:SessionCookie=xxxxxxxxxx; SameSite=None; Secure
Also, you must use HTTPS.
If you don't set them, cookies will only be included in safe GET requests and not in POST requests across sites. (lax mode)
To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging cookie problems
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论