昨天排查鉴权失败问题, 涉及到一个小点:
This Set-Cookie was blocked because it was not sent over a secure-connection and would have overwritten a cookie with Secure attribute.
其在 Chrome Devlope tools中 对应的提示:
image.png
表现为: 接口在 Response 响应头中Set-Cookie 时 失败。
原因:1、 HTTP服务不支持Secure安全属性。Secure表示Cookie会以安全的形式传输,HTTP肯定是不满足的。
2、历史使用了Https 访问过相同域名, 再以http访问且不设置Secure属性,也是不可以的。 解决办法: 清除https域名下cookie信息
根本原因: cookie不能通过 port 进行隔离。
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server.
网友评论