问题
我正在运行带有设置cookie的Post端点的Spring Boot服务器。当从我的 Angular 应用程序向端点发出请求时,我在Chrome开发者控制台的响应标题中看不到Set-Cookie标题。为什么Set-Cookie header 不显示?
调查摘要
使用curl时,Set-Cookie响应 header 确实会显示在响应 header 中,Safari中也存在Set-Cookie,并且它会显示在chrome net-export日志中。
环境
ng serve --host 0.0.0.0 --disable-host-check上使用http://example.com:4200命令托管 Angular UI。 http://example.com:8080上运行spring boot服务器http://example.com:8080/accounts/v1/user/authenticate Version 73.0.3683.103 (Official Build) (64-bit) 尝试调试
苹果浏览器
Set-Cookie header 在Safari开发人员控制台的响应 header 中可见。
Chrome 合金
Chrome开发者控制台
转到devconsole->网络->身份验证请求。我查看了请求和响应头,而Set-Cookie不在那儿。
请求 header
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: http://example.com:4200
Referer: http://example.com:4200/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
响应头
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://example.com:4200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Type: application/json;charset=UTF-8
Date: Wed, 17 Apr 2019 21:58:52 GMT
Expires: 0
Pragma: no-cache
Server: nginx/1.15.6
Transfer-Encoding: chunked
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
使用Chrome chrome://net-export/
我保存了发布请求的日志。有趣的是,Set-Cookie header 确实出现在这些日志中。另外,Cookie header 的确也显示在请求中(可能是从先前的尝试中保存的)。
t=190196 [st= 0] +REQUEST_ALIVE [dt=125]
--> priority = "MEDIUM"
--> url = "http://example.com/accounts/v1/user/authenticate"
t=190196 [st= 0] NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=0]
t=190196 [st= 0] +URL_REQUEST_START_JOB [dt=124]
--> load_flags = 0 (NORMAL)
--> method = "POST"
--> privacy_mode = 0
--> upload_id = "0"
--> url = "http://example.com/accounts/v1/user/authenticate"
t=190197 [st= 1] NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=0]
t=190197 [st= 1] HTTP_CACHE_GET_BACKEND [dt=0]
t=190197 [st= 1] +HTTP_STREAM_REQUEST [dt=0]
t=190197 [st= 1] HTTP_STREAM_JOB_CONTROLLER_BOUND
--> source_dependency = 16598 (HTTP_STREAM_JOB_CONTROLLER)
t=190197 [st= 1] HTTP_STREAM_REQUEST_BOUND_TO_JOB
--> source_dependency = 16599 (HTTP_STREAM_JOB)
t=190197 [st= 1] -HTTP_STREAM_REQUEST
t=190197 [st= 1] UPLOAD_DATA_STREAM_INIT [dt=0]
--> is_chunked = false
--> net_error = 0 (?)
--> total_size = 43
t=190197 [st= 1] +HTTP_TRANSACTION_SEND_REQUEST [dt=0]
t=190197 [st= 1] HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> POST /accounts/v1/user/authenticate HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 43
Accept: application/json, text/plain, */*
Origin: http://example.com:4200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Content-Type: application/json
Referer: http://example.com:4200/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Authorization="xxxx"
t=190197 [st= 1] HTTP_TRANSACTION_SEND_REQUEST_BODY
--> did_merge = false
--> is_chunked = false
--> length = 43
t=190197 [st= 1] UPLOAD_DATA_STREAM_READ [dt=0]
--> current_position = 0
t=190197 [st= 1] UPLOAD_DATA_STREAM_READ [dt=0]
--> current_position = 43
t=190197 [st= 1] -HTTP_TRANSACTION_SEND_REQUEST
t=190197 [st= 1] +HTTP_TRANSACTION_READ_HEADERS [dt=122]
t=190197 [st= 1] HTTP_STREAM_PARSER_READ_HEADERS [dt=122]
t=190319 [st=123] HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Server: nginx/1.15.6
Date: Wed, 17 Apr 2019 21:27:35 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: Authorization="xxxx"; Version=1; Domain=.example.com; Max-Age=1031; Expires=Wed, 17-Apr-2019 21:44:46 GMT
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Access-Control-Allow-Origin: http://example.com:4200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
t=190319 [st=123] -HTTP_TRANSACTION_READ_HEADERS
t=190319 [st=123] NETWORK_DELEGATE_HEADERS_RECEIVED [dt=0]
t=190320 [st=124] -URL_REQUEST_START_JOB
t=190320 [st=124] URL_REQUEST_DELEGATE_RESPONSE_STARTED [dt=0]
t=190320 [st=124] HTTP_TRANSACTION_READ_BODY [dt=1]
t=190321 [st=125] URL_REQUEST_JOB_FILTERED_BYTES_READ
--> byte_count = 698
--> bytes = "xxxx"
t=190321 [st=125] HTTP_TRANSACTION_READ_BODY [dt=0]
t=190321 [st=125] -REQUEST_ALIVE
使用Chrome选项
一些帖子建议禁用此chrome选项
chrome://flags/#site-isolation-trial-opt-out。但这没有效果。Angular
在angular我的帖子请求中添加了
withCredentials: true选项。但这并不能解决问题。curl
我尝试使用curl模拟来自UI的请求
curl -i -H 'Origin: http://example.com:4200' -H 'Accept: application/json, text/plain, */*' -H 'Content-Type: application/json' -H 'Referer: http://example.com:4200/' --request POST --data '{"primaryEmailAddress":"[email protected]"}' http://example.com:8080/accounts/v1/user/authenticate
请求的响应 header 包含已设置的Cookie header
HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Set-Cookie: Authorization="Bearer xxxx"; Version=1; Domain=.example.com; Max-Age=545; Expires=Wed, 17-Apr-2019 22:00:46 GMT
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Frame-Options: DENY
Date: Wed, 17 Apr 2019 21:51:41 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://example.com.com:4200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
Transfer-Encoding: chunked
Content-Type: application/json;charset=UTF-8
最佳答案
我注意到了相同的行为(使用Chrome 75)。我不知道为什么Chrome开发人员工具在“网络”标签下不显示Set-Cookie响应 header 。 (似乎应该如此。)但是,如果您在“应用程序”选项卡下查看,则可以验证是否已设置cookie(请参阅“应用程序”->“存储”->“cookies”)。在这里,您还可以编辑和清除Cookie。
关于angular - Set-Cookie header 未显示在Google Chrome中,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/55736723/