本文介绍了即使将SameSite = None设置为Safari,Safari也不会发送cookie;安全的的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们的应用程序使用cookie来记住用户登录.我们进行的每个auth API调用,浏览器都会将服务器设置的HTTPonly cookie附加到API请求中,并进行身份验证.莫哈韦沙漠(Mojave)发布后,这种行为在野生动物园中似乎已被打破.

Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release.

我了解了safari实现的跨站点cookie安全性,我们的服务器团队在设置cookie时添加了SameSite=None;Secure.即使那样,它仍然不起作用.

I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work.

Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None

请提供建议或提供实际找到解决方案的人员的链接.

Please advise or provide links from people who actually found a solution..

推荐答案

Mac OS 10.14上的Safari版本以及iOS 12上的所有浏览器均受此错误,这意味着SameSite=None被错误地视为SameSite=Strict,例如最严格的设置.

Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.

我已经在以下任一方面的 SameSite Cookie食谱中发布了一些指南.

I've published some guidance in SameSite cookie recipes on either:

  • 使用两组Cookie来说明支持SameSite=None; Secure和不支持SameSite=None; Secure的浏览器.
  • 嗅探用户代理针对不兼容的浏览器,但不提供满足这些要求.
  • Using two sets of cookies to account for browsers that support SameSite=None; Secure and those that don't.
  • Sniffing the user agent for incompatible browsers and not serving SameSite=None for those requests.

这篇关于即使将SameSite = None设置为Safari,Safari也不会发送cookie;安全的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-30 05:44