如果我在本地运行服务器,它会设置 cookie,但是当它在线托管时:
Cookie “connect.sid” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
然后我尝试使用 secure=true
it works and the cookies are set when the server is hosted locally. But when it is hosted in heroku the cookie are not set, and I get no error.
好像客户端网站不安全,但它在 url 框中显示 https
What am I doing wrong here?
session 配置:
router.use(
session({
cookie: {
secure: true,
maxAge: 86400,
sameSite: "none",
},
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
})
);
注意:我已经启用了凭据设置为 true 的 cors
XHR cookie 选项卡中的 cookie 选项卡为空
前端和后端分别托管在heroku中
XMLHttpRequest 用于发送 withCredentials 设置为 true 的 post 请求。
XHRPOSThttps://sih-drs-prototype-backend-2.herokuapp.com/api/outrages/login
[HTTP/1.1 200 OK 1625ms]
邮政
https://sih-drs-prototype-backend-2.herokuapp.com/api/outrages/login
状态200
好的
版本HTTP/1.1
Transferred367 B(2 B尺寸)
Access-Control-Allow-Credentials
true
Access-Control-Allow-Origin
https://tempautocomplete.herokuapp.com
Connection
keep-alive
Content-Length
2
Content-Type
application/json; charset=utf-8
Date
Sun, 12 Jul 2020 14:06:42 GMT
Etag
W/"2-vyGp6PvFo4RvsFtPoIWeCReyIC8"
Server
Cowboy
Vary
Origin
Via
1.1 vegur
X-Powered-By
Express
Accept
*/*
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Connection
keep-alive
Content-Length
46
Content-Type
application/json;charset=UTF-8
Host
sih-drs-prototype-backend-2.herokuapp.com
Origin
https://tempautocomplete.herokuapp.com
Referer
https://tempautocomplete.herokuapp.com/static/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
最佳答案
问题不在于表达 session ,它完成了它的工作。
当响应来自第 3 方域时,浏览器不允许使用 cookie。
if you are looking for a workaround try this npm package : should-send-same-site-none https://www.npmjs.com/package/should-send-same-site-none
需要明确的是,浏览器不会拒绝 cookie。相反,cookie 存储在发送响应的第 3 方域名的名称中。
由于请求和响应来自同一个域(本地主机),因此在本地托管时它工作得很好
关于node.js - Express JS/Node JS : Browsers are not setting cookie when secure=true, sameSite: 'none',我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62862094/