|
我正在使用基于Laravel的较新的PHP版本迁移旧的perl应用程序.这需要perl应用程序向新的Laravel应用程序发出XHR请求,并且我在Chrome中遇到了一些问题,并且返回了Cookie.
当我们已经登录到这两个应用程序时,我正在尝试向Laravel应用程序发出两个请求:第一个请求CSRF令牌,第二个使用该令牌发出POST请求.
我已经将CORS配置为我正在发送和接收cookie的点,并且初始/令牌GET调用正常工作(根据XHR请求发送的cookie进行身份验证)
/ token调用然后返回一个带有laravel_session cookie的Set-Cookie标头(如预期的那样),但我的问题是以下POST请求发送了同一个cookie的两个版本,PHP似乎只是查看不正确的一个和因此加载错误的会话并针对错误的CSRF令牌进行测试.
以下是所有3个请求的详细信息 – 正如您所看到的,最终的POST是发送两个版本的相同cookie,具有不同的值. (为清晰起见,在Cookie标头中添加了换行符)
这只发生在Chrome中,在Safari中,它似乎发送了正确的Cookie并且CSRF令牌已正确验证. Chrome版本为45.0.2454.101.
令牌请求标头:
GET /token HTTP/1.1
Host: laravel.
Connection: keep-alive
Accept: */ *
Origin: https://perl.
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Referer: https://perl./original/page.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: XSRF-TOKEN=eyJpdiI6Im5kSG02TVhsc08wUVZCZkd2WnZQa1E9PSIsInZhbHVlIjoiWFE0MXFBNlZIMnNXVHppXC9hN0dqNlJ2K1psUU9JZlFqTUdZZ3RJVmc0N1ZqV0MrVEczOGVFV0ExcDRDYmQxZDBTbFhGaWFiUkh5TGowOUgxdzVKOCtBPT0iLCJtYWMiOiJhOTYzNDFlZjUyYTdjMWFmMDE1MTFlMjczYTA0NTE2NThlYjVlNTkyOWUyZWNjZWM1MGYxODc4MmVjMTM5YTFhIn0=;
laravel_session=eyJpdiI6ImdSM0VTT25FUzZoY3JOeVwvN2JLWFFnPT0iLCJ2YWx1ZSI6Ilp3WHBFZlNuTnZibVMyMUlvbk1YM1YwdXF5VjRnTW1CNWVjUU1ReXlLZldSeEJxeTJFSmgyN2pyTjAydXlzMzE1TmJseWZrQmRraStDUkFqNTFReUp3PT0iLCJtYWMiOiI5MWMxM2YyNzFjOTY3ZjIxMmVjYmNlZWNlNDAzYjI2MjZkNmJhMzIyM2VlNTAwNGJlNTQ4OTU4OTMxZjJhYjE5In0=;
_ga=GA1.3.1924987937.1443461035;
_dc_gtm_UA-5119192-1=1
令牌响应标头:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://perl.
Cache-Control:no-cache
Connection:Keep-Alive
Content-Length:40
Content-Type:text/plain; charset=UTF-8
Date:Mon, 28 Sep 2015 17:24:18 GMT
Keep-Alive:timeout=2, max=80
P3P:policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa CUSa PSAa IVAa CONo OUR IND UNI STA"
Server:Apache
Set-Cookie:XSRF-TOKEN=eyJpdiI6ImFiT3ZSWWVDUnlKcWMraGFrWnBVY2c9PSIsInZhbHVlIjoiOTVnc05UM3puVGRwTUNUbDl3T1FNTVpWdGxVM29VaHNLSUt0XC9LTkhzMG5iOGlNbmhHXC9KMDBBTW9qRjZFQXZaSmlHTmhKUVpmTGdpXC80K0lkSUhUdnc9PSIsIm1hYyI6IjI5Njc1ZWE2NTRiYTY4NWJhMmE5Y2UwNjBlZDRkOWE4OGQwOWQ5NjE1YjAyNTMwNTFmZDczY2RjNzRiNjExNDIifQ==; expires=Mon, 28-Sep-2015 19:24:23 GMT; Max-Age=7200; path=/
Set-Cookie:laravel_session=eyJpdiI6IjJqbTRyWG1GOEd1c2NIRnd4eE4yMGc9PSIsInZhbHVlIjoiZzk2SFE2emxcL0xGNjI3aGtYd1NmWURUVEduMVZVY2dYeUlRTVo2UTYyU0I2dFljalhxTjJSY3JFMGpvXC9nc2N0N3dJUFZYbGQya3pUNit1eWtrM3JqZz09IiwibWFjIjoiNDBhYzAzZjkwNDA5ZDE4Y2Y5ZjQ1MjdiYTUwYWU2M2Y5NjVjY2I1ZmMxZWFlMzAwZWM4MmVjNWRlYjM2Yjc2ZSJ9; expires=Mon, 28-Sep-2015 19:24:23 GMT; Max-Age=7200; path=/; httponly
Vary:Origin
X-Powered-By:PHP/5.5.9-1ubuntu4.11
预检请求标题:
OPTIONS /destination/of/post HTTP/1.1
Host: laravel.
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: https://perl.
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Access-Control-Request-Headers: accept, content-type
Accept: */*
Referer: https://perl./original/page.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
预检响应标题:
HTTP/1.1 200 OK
Date: Mon, 28 Sep 2015 17:24:24 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Allow: POST
Cache-Control: no-cache, private
access-control-allow-credentials: true
access-control-allow-origin: https://www.
access-control-allow-methods: GET, POST, PUT, DELETE
access-control-allow-headers: ACCEPT, CONTENT-TYPE
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImVRTGM3Q1I5RUttXC83NlVLNEN3Z3ZRPT0iLCJ2YWx1ZSI6IlE0SVRjVnJHRHhRUXFYYUhZbVwvSEpLSFp2VVZSa0creW5OUzR2aFdXTEI5VWFEMzBCSkNjeHBzR0dycjVuYWxsOVJ4KzdNVWhhR3dMSmhiam8yUDZcL1E9PSIsIm1hYyI6ImRiYzE4ODRlMTAyOTFkMmY0NTI2YjkzMmExMGZjM2EzOTU2ZDc3N2Q1ZGQzYjNhM2EyNDY5YjhjNGIxMjVlMWYifQ==; expires=Mon, 28-Sep-2015 19:24:24 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6InR5M3JjWkltaVdoSldIa3FsWVp2YUE9PSIsInZhbHVlIjoibjFuODdiVXRKQmdvU1hVcTdcL3VQeWF4K243d2h3Z3EwNWtVeTNWZUdBWGFWQ21QQXlid2RFSmNLSklpanVpZUNhZGE5UlU2Q1FqUCtnSVd4UWkwM2ZRPT0iLCJtYWMiOiI1ZjNjOWQyNmZlNGI1MDI5OGQxOGY2ZGI5M2M1MTMwNWRjZGY4MDVjMGViODNjYjg0MmU5ZWQ0MzRjNjYyN2VhIn0=; expires=Mon, 28-Sep-2015 19:24:24 GMT; Max-Age=7200; path=/; httponly
Vary: Accept-Encoding
Content-Encoding: gzip
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa CUSa PSAa IVAa CONo OUR IND UNI STA"
Content-Length: 3501
Keep-Alive: timeout=2, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST请求标题:
POST /destination/of/post HTTP/1.1
Host: laravel.
Connection: keep-alive
Content-Length: 72
Accept: application/json, text/javascript, */ *; q=0.01
Origin: https://perl.
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/json
Referer: https://perl./original/page.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: _dc_gtm_UA-5119192-1=1; _ga=GA1.3.2141864485.1441288526;
__zlcmid=WXevTAW8aGLGrO;
XSRF-TOKEN=eyJpdiI6ImQ1TFRGaWFwK3cyd3RRa3BzbUNmc0E9PSIsInZhbHVlIjoiNGEydmlLWE96NzZueWtaWWlUa3UzMjZOK29NbmNPb2VidVdVYzdSbkZsaWJMVmxBRitLT05oK3hodUc1ejRMOWJWYzVIeEl6UlpzQ0dIeWlob3pFOFE9PSIsIm1hYyI6IjkzNTczMDJlOWVhZjM5NTU0NGEyNmE5YWNiODcxNDk4YmE0ODEyYTE3ZWExODBiMmNhNDFmMGFhMjVmNjhhYjgifQ==;
laravel_session=eyJpdiI6IkIrc3QzUk1iQnNEKysxOEg2UCtSbmc9PSIsInZhbHVlIjoiYXVDalVhaUpDMms3K3AwZFVLV0EyMDMwK25tVUQyYWw5c1MxTVRkZ0ZvVWpcL2lZUndubitsQ2VVMDF1UFcwNzNsR1doNG9TY2diMEhadHdXMEoxamt3PT0iLCJtYWMiOiI5MjE1NWE0MGNmMDgyYzhlYjBjMDUwY2JhOGYxNThjZTM0MjMwM2E3M2VjZjg1ZTgxMzIxZjE5OTkzZDEzZDhhIn0=;
_ga=GA1.3.1924987937.1443461035;
_dc_gtm_UA-5119192-1=1;
XSRF-TOKEN=eyJpdiI6ImFiT3ZSWWVDUnlKcWMraGFrWnBVY2c9PSIsInZhbHVlIjoiOTVnc05UM3puVGRwTUNUbDl3T1FNTVpWdGxVM29VaHNLSUt0XC9LTkhzMG5iOGlNbmhHXC9KMDBBTW9qRjZFQXZaSmlHTmhKUVpmTGdpXC80K0lkSUhUdnc9PSIsIm1hYyI6IjI5Njc1ZWE2NTRiYTY4NWJhMmE5Y2UwNjBlZDRkOWE4OGQwOWQ5NjE1YjAyNTMwNTFmZDczY2RjNzRiNjExNDIifQ==;
laravel_session=eyJpdiI6IjJqbTRyWG1GOEd1c2NIRnd4eE4yMGc9PSIsInZhbHVlIjoiZzk2SFE2emxcL0xGNjI3aGtYd1NmWURUVEduMVZVY2dYeUlRTVo2UTYyU0I2dFljalhxTjJSY3JFMGpvXC9nc2N0N3dJUFZYbGQya3pUNit1eWtrM3JqZz09IiwibWFjIjoiNDBhYzAzZjkwNDA5ZDE4Y2Y5ZjQ1MjdiYTUwYWU2M2Y5NjVjY2I1ZmMxZWFlMzAwZWM4MmVjNWRlYjM2Yjc2ZSJ9
POST响应标头
HTTP/1.0 302 Found
Date: Mon, 28 Sep 2015 17:24:24 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Cache-Control: no-cache
Location: https://laravel./auth/login
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa CUSa PSAa IVAa CONo OUR IND UNI STA"
Content-Length: 416
Connection: close
Content-Type: text/html
解决方法: 同名的两个cookie可能因为它们位于不同的路径,当您编辑cookie时,您必须指定与令牌响应头中相同的路径和相同的域. 来源:https://www./content-1-291401.html
|
