由Daniel W.回答
My mistake was that I was calling a HTTP server endpoint instead of it's HTTPS version.
其他问题都涉及同一主题,但经过所有尝试,问题都没有得到解决。
我的问题:
我无法从我的第二个JS客户端登录
- https://localhost:4433工作正常(SET-COOKIE标头存在并且COOKIE已设置(
- https://localhost不工作(SET-COOKIE标头存在,但未设置COOKIE(
登录端点:
http://localhost:8000/home/login
响应标头:
Set-Cookie: .AspNetCore.Cookies=SomeCookieHere; expires=Sun, 10 Sep 2022 14:12:52 GMT; path=/; secure; samesite=none; httponly
JavaScript:
$.post({
xhrFields: {
withCredentials: true
},
crossDomain: true,
type: 'POST',
url: 'http://localhost:8000/home/login',
data: {"userName":"userName","password":"password"},
contentType: "application/x-www-form-urlencoded",
dataType: "text/html",
success: function(data) {}
});
C#:
authBuilder.AddCookie(options =>
{
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.LoginPath = new PathString("/");
})
您不能在非安全上下文中设置安全cookie:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
具有Secure属性的cookie仅通过HTTPS协议的加密请求发送到服务器,而从不使用不安全的HTTP,因此中间人攻击者无法轻易访问。不安全的网站(URL中有http:(无法设置具有"安全"属性的cookie。
$.post({
// url: 'http://localhost:8000/home/login', // Can't use HTTP endpoint
url: 'https://localhost:4433/home/login', // This works
});