我使用django后端,和CRAO前端。我将jwt刷新令牌保存为httponly cookie:
document.cookie = `refresh=${refresh_token}; SameSite=Strict; Path=/api/token/refresh; HttpOnly`;
然后刷新访问令牌,我发送一个axios请求:
const response = await axios.post('/api/token/refresh/', { withCredentials: true });
但是,在这种情况下,最初保存的cookie不会被axios发送。但是,在删除httponly属性后,cookie确实被发送,并且一切正常。
您没有在django应用程序中设置好cookie,请按照以下方式将其保存为httponly cookie:
response.set_cookie(
key=settings.SIMPLE_JWT["AUTH_COOKIE_REFRESH"],
value=token["refresh"],
expires=settings.SIMPLE_JWT["ACCESS_TOKEN_LIFETIME"],
secure=settings.SIMPLE_JWT["AUTH_COOKIE_SECURE"],
httponly=settings.SIMPLE_JWT["AUTH_COOKIE_HTTP_ONLY"],
samesite=settings.SIMPLE_JWT["AUTH_COOKIE_SAMESITE"],
)