環境
前端:
- vue全家桶
- axios
后端:
- springboot 2.1.9.RELEASE
- spring-boot-starter-data-redis
- spring-session-data-redis
根據以往的經驗來看,無非就以下幾種情況
設置跨域訪問
- 前端設置攜帶cookie
axios.get('http://xxxx/', {
// 允許攜帶cookie
withCredentials: true
})
- 后端設置CORS
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, If-Modified-Since");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.addHeader("Access-Control-Allow-Credentials", "true");
代理
設置vue.config.js
module.exports = {
publicPath: './',
devServer: {
proxy: {
// 設置代理
'/innerService': {
target: 'http://192.168.30.248:8081',
changeOrigin: true
}
}
}
nginx
location /innerService {
proxy_pass http://192.168.30.248:8081/;
proxy_cookie_path / /;
proxy_cookie_path / /;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
index index.html index.htm;
}
這次的問題
但是這次,以前的方法都試過之后,還是無效,懷疑自己到底哪里寫錯了。
之后通過對比以前的項目,發現set-cookie里多了一個參數。
set-cookie: SESSION=ODdmZjM1ZDAtNTNkZS00YTJjLThkOTAtNDA5OWNjNzg4ZWY4; Path=/; HttpOnly; SameSite=Lax
沒錯,就是多了SameSite=Lax
於是就帶着這個參數去搜索,
SameSite
Cookie 的SameSite屬性用來限制第三方 Cookie,從而減少安全風險。也就是防止CSRF攻擊
參考 http://www.ruanyifeng.com/blog/2019/09/cookie-samesite.html
解決方案
覆蓋默認CookieSerializer
@Bean
public CookieSerializer httpSessionIdResolver(){
DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
// 源碼默認為Lax
// private String sameSite = "Lax";
cookieSerializer.setSameSite(null);
return cookieSerializer;
}