角度v5x, 节点v8.11.1, google chrome v72.0.3626.109 64位窗口8
如果客户端和服务器在同一个域中(例如 https:example.com ),则可以在客户端获取Cookie。 并且如果客户端和服务器位于不同的域上(例如客户端位于域https://sub1.example1.com上并且服务器位于域https://sub2.example2.com上,则无法获取Cookie
允许在服务器中配置CORS:
res.header("Access-Control-Allow-Origin", req.get('origin'));
res.header("Access-Control-Allow-Credentials", true);
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
res.header("Access-Control-Allow-Methods", "POST, PUT, GET, DELETE");
res.header("Access-Control-Expose-Headers", "*");
使用HTTPS响应对象附加cookie
var cookieConfigOptions = {
"maxAge": 946080000,
"httpOnly": false,
"secure": true,
"signed": true,
"domain": ".sub1.example1.com"
};
res.cookie("token", "80444cd0-38fa-11e9-9c54-f3ac2c85d660_Aaaaa_Bbb_CC", cookieConfigOptions);
REST API响应标头:
[Symbol(outHeadersKey)]:
{ 'x-powered-by': [ 'X-Powered-By', 'Express' ],
'access-control-allow-credentials': [ 'Access-Control-Allow-Credentials', 'true' ],
'access-control-allow-origin': [ 'Access-Control-Allow-Origin','https://sub1.example1.com' ],
'access-control-allow-headers': [ 'Access-Control-Allow-Headers','Origin, X-Requested-With, Content-Type, Accept, Authorization' ],
'access-control-allow-methods': [ 'Access-Control-Allow-Methods', 'POST, PUT, GET, DELETE' ],
'access-control-expose-headers': [ 'Access-Control-Expose-Headers', '*' ],
'x-ratelimit-limit': [ 'X-RateLimit-Limit', 5000 ],
'x-ratelimit-remaining': [ 'X-RateLimit-Remaining', 4999 ],
'set-cookie':
[ 'Set-Cookie',
'token=s%3A80444cd0-38fa-11e9-9c54-f3ac2c85d660_Aaaaa_Bbb_CC.PhB51SpDR%2FycSc2NVYy7mJ9WbjcgzHrAqGKrL95GppQ; Max-Age=946080000; Domain=.sub1.example1.com; Path=/; Expires=Wed, 17 Feb 2049 12:40:15 GMT; Secure' ],
etag: [ 'ETag', 'W/"7d-r04KVX+lvHV/X56rSN84FzKivtU"' ] } }
在请求api时,已在ng5代码的拦截器中添加了withCredentials选项。
req = req.clone({ withCredentials: true });
可用响应头 set-cookie ,但无法使用angular client进入浏览器。 请建议我缺少什么。 谢谢