我的服务器是在 localhost:8080 上使用 Fiber (golang) 和 Fiber-Session 中间件构建的。React App 在 localhost:3000 上运行。运行https
和 cookie 设置都是“SameSite=None”、“Secure”和“HttpOnly”。
我试图做的是:
- 登录请求 (
POST /users/:userID/token
) 和session_id
Cookie 中设置的服务器。
发送请求的代码是:
await fetch('https://localhost:8080/api/v2/users/616637bc3b7adc6e86230277/token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
password: '123412341234',
})
})
响应状态为 200,响应值正常。
我认为cookie是自动保存的,所以我没有对响应对象做任何事情来保存cookie。
从服务器,响应得到:
HTTP/1.1 200 OK
Date: Wed, 13 Oct 2021 03:14:10 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 17
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Origin
Access-Control-Allow-Origin: https://localhost:3000
Access-Control-Allow-Credentials: true
X-Request-Id: 55978af0-1eb3-4175-bad6-6ada68e6b8d5
Set-Cookie: session_id=9a69d523-98d2-4101-b81f-a4f732f517bc; max-age=86400; path=/; HttpOnly; secure; SameSite=None
我认为服务器的响应非常好。
- 使用会话 cookie 请求从服务器获取用户信息。(这里失败)
发送请求的代码是:
await fetch('https://localhost:8080/api/v2/users/616637bc3b7adc6e86230277', {
method: 'GET',
credentials: 'include'
})
发送到服务器的请求是:
GET /api/v2/users/616637bc3b7adc6e86230277 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
sec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Origin: https://localhost:3000
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.1.1128008882.1631252747
在“Cookie”部分,只有_ga
cookie,没有session_id
cookie,但我认为它没有显示,因为session_id
cookie 是安全的和 httpOnly cookie。
服务器的(失败)响应是:
HTTP/1.1 401 Unauthorized
Date: Wed, 13 Oct 2021 03:14:11 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 147
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Origin
Access-Control-Allow-Origin: https://localhost:3000
Access-Control-Allow-Credentials: true
X-Request-Id: 56978af0-1eb3-4175-bad6-6ada68e6b8d5
发生 401 错误是因为服务器无法从session_id
密钥中找到任何 cookie。
在服务器中:
import (
"fmt"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/session"
"github.com/gofiber/storage/mongodb"
...
)
var store *session.Store
func InitSessionStore() {
...
store = session.New(session.Config{
Storage: storage,
CookieHTTPOnly: true,
CookieSecure: true,
CookieSameSite: "None",
})
}
// Set session id
func SetUserIDInSession(userID string) error {
...
sess, err := store.Get(c)
if err != nil {
return nil, errors.WithStack(err)
}
sess.Set("user", userID)
if err := sess.Save(); err != nil {
return errors.WithStack(err)
}
return nil
}
// Get user id from session
func GetUserIDFromSession(c *fiber.Ctx) (string, error) {
...
sess, err := store.Get(c)
if err != nil {
return nil, errors.WithStack(err)
}
user := sess.Get("user") // user is nil
...
}
我的代码有问题吗?我找不到任何可疑的位置。请帮我。谢谢。