Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

session - 大猩猩会话不适用于客户的CORS(Gorilla sessions not working for CORS from client)

I have set up a Go rest api.

(我已经设置了Go rest api。)

And on login I do this:

(并在登录时执行此操作:)

session, _ := store.New(r, sessionId)
session.Options.MaxAge = 12 * 3600
err := session.Save(r, w)
//treat error

and for checking the session i have smth like this:

(为了检查会话,我有这样的东西:)

    session, err := store.Get(r, sessionId)
    //treat error
    if session.IsNew {
        http.Error(w, "Unauthorized session.", http.StatusUnauthorized)
        return
    }

If I do the requests from postman it works fine, but when I do them from my client I get 401. Has any of you experienced something like this?

(如果我执行邮递员的请求,效果很好,但是当我从客户那里收到请求时,我会收到401。你们中的任何人是否经历过类似的事情?)

The store is a CookieStore.

(该商店是一个CookieStore。)

I already checked the id's, I replaced sessionId variable with a static string.

(我已经检查了ID,将sessionId变量替换为静态字符串。)

Gorilla session uses gorilla context to register a new request and when I do the request from postman context.data[r] is not null, but from the client it is always null -> always a new session.

(大猩猩会话使用大猩猩上下文注册一个新请求,当我从邮递员上下文中发出请求时context.data[r]不为null,但从客户端它始终为null->始终是一个新会话。)

https://github.com/gorilla/context/blob/master/context.go - line 33

(https://github.com/gorilla/context/blob/master/context.go-第33行)

it is called in

(它被称为)

https://github.com/gorilla/sessions/blob/master/sessions.go - line 122

(https://github.com/gorilla/sessions/blob/master/sessions.go-第122行)

wich is used in the CookieStore.Get function in

(wich用于CookieStore.Get函数中)

https://github.com/gorilla/sessions/blob/master/store.go - line 77

(https://github.com/gorilla/sessions/blob/master/store.go-第77行)

EDIT 1: For the client I use polymer and I tried xmlhttp too.

(编辑1:对于客户端,我使用聚合物,我也尝试了xmlhttp。)

Polymer:

(聚合物:)

<iron-ajax
  id="ajaxRequest"
  auto
  url="{{requestUrl}}"
  headers="{{requestHeaders}}"
  handle-as="json"
  on-response="onResponse"
  on-error="onError"
  content-type="application/json"
  >
</iron-ajax>

and the handlers

(和处理程序)

  onResponse: function(response){
    console.log(response.detail.response);
    this.items = response.detail.response
  },
  onError: function(error){
    console.log(error.detail)
  },
  ready: function(){
    this.requestUrl = "http://localhost:8080/api/fingerprint/company/" + getCookie("companyId");
    this.requestHeaders = {"Set-cookie": getCookie("api_token")}
  }

and the cookie successfully reaches the backend.

(并且cookie成功到达了后端。)

And xmlhttp:

(和xmlhttp:)

  var xmlhttp = new XMLHttpRequest();
  xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == XMLHttpRequest.DONE ) {
      if(xmlhttp.status == 200){
        //do stuff
      }else if(xmlhttp.status == 401){
        page.redirect("/unauthorized")
      }else{
        page.redirect("/error")
      }
    }
  }

  xmlhttp.open("GET","http://localhost:8080/api/fingerprint/company/" + getCookie("companyId"),true);
  xmlhttp.setRequestHeader("Set-cookie", getCookie("api_token"));
  xmlhttp.send();

EDIT 2:

(编辑2:)

So I tried debugging with fiddler(thanks for the suggestion) and i found out that the request from postman has an bold entry Cookies / Login and the request from the client does not.

(因此,我尝试使用fiddler进行调试(感谢您的建议),结果发现邮递员的请求有一个粗体条目Cookies / Login ,而客户端的请求则没有。)

Any idea how to get/set that value?

(任何想法如何获得/设置该值?)

It is somehow automatically set in Postman.

(它是通过邮递员自动设置的。)

In the authentication request I get a set-cookie header that has all the data that I need but I can't get it on the client.

(在身份验证请求中,我得到一个set-cookie标头,其中包含我需要的所有数据,但无法在客户端上获取。)

I get Refused to get unsafe header set-cookie .

(我被Refused to get unsafe header set-cookie 。)

  ask by Victor Balan translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The problem is that in the client the requests need to have withCredentials = true and after that the browser deals with everything.

(问题在于,在客户端中,请求必须具有withCredentials = true ,然后浏览器处理所有内容。)

It gets the cookie from the set-cookie header and it sends the cookies via the cookie header.

(它从set-cookie头获取cookie,并通过cookie头发送cookie 。)

So, after all, it was not a gorilla sessions problem.

(因此,毕竟这不是大猩猩会议的问题。)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...