logo标签列表

设置sameSite="none"和secure="true"不能解决Chrome抛出的新CORS错误。

javascriptnode.jsexpresscookiesexpress-session
4

我一直在尝试通过express-session解决Google Chrome抛出的新CORS问题,但似乎没有解决。具体来说,是这个错误:

A cookie associated with a cross-site resource at http://plant-app-test.herokuapp.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

我的当前技术栈包括 Node.js, Express.js, 以及用于身份验证的 Passport.js。您可以在下面看到配置:

  • app.js

require("dotenv").config();

const path = require("path");
const cors = require("cors");
const logger = require("morgan");
const helmet = require("helmet");
const express = require("express");
const mongoose = require("mongoose");
const bodyParser = require("body-parser");
const cookieParser = require("cookie-parser");

const app_name = require("./package.json").name;
const debug = require("debug")(
  `${app_name}:${path.basename(__filename).split(".")[0]}`
);

const app = express();

// CORS setup
app.use(
  cors({
    credentials: true,
    preflightContinue: true,
    optionsSuccessStatus: 200,
    origin: process.env.REACT_APP_CLIENT_POINT,
    allowedHeaders: ["Content-Type", "Authorization"],
    methods: ["GET", "POST", "PUT", "HEAD", "PATCH", "DELETE"],
  })
);

// Middleware Setup
app.use(helmet());
app.use(logger("dev"));
app.use(cookieParser());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

require("./configs/db.config");
require("./configs/session.config")(app);
require("./configs/passport/passport.config.js")(app);

// Route setup
app.use("/", require("./routes/index"));
app.use("/auth", require("./routes/auth"));
app.use("/app", require("./routes/application"));

module.exports = app;

  • session-config.js

const session = require("express-session");
const mongoose = require("mongoose");
const MongoStore = require("connect-mongo")(session);
const cookieParser = require("cookie-parser");

module.exports = (app) => {
  app.use(
    session({
      secret: process.env.SESS_SECRET,
      name: "sessionID",
      cookie: {
        sameSite: "none",
        secure: true,
      },
      resave: false,
      saveUninitialized: false,
      store: new MongoStore({
        mongooseConnection: mongoose.connection,
        ttl: 60 * 60 * 24 * 1000,
      }),
    })
  );
};

  • passport-config.js

const passport = require("passport");

require("./serializers.config");
require("./local-strategy.config");
require("./google-strategy.config");
require("./facebook-strategy.config");

module.exports = (app) => {
  app.use(passport.initialize());
  app.use(passport.session());
};

  • serializers-config.js

const passport = require("passport");
const User = require("../../models/User.model");

passport.serializeUser(function (user, done) {
  done(null, user._id);
});

passport.deserializeUser(async function (id, done) {
  await User.findById(id, function (err, user) {
    if (!err) done(null, user);
    else done(err, null);
  });
});

我尝试了几种不同的会话cookie配置,在我的开发环境上运行良好(位于HTTP://localhost但使用不同的端口)。请问有人能帮忙吗?由于这不能使用户会话持久化并利用其存储在cookie中的id进行工作流程,因此我需要帮助。

谢谢!

如果您还发布了发送到服务器的标头,那么我们也可以看到为什么 cookie 被阻止,这可能会更有帮助。此外,您发布的 URL 没有正确的 https 证书,这可能是问题的一部分,因为您提供了:secure: true。这将在本地主机上运行,但在托管时失败。 - Kyle Mills
2个回答
2
对于我的Heroku应用和非常相似的情况,我通过在express-session配置中添加proxy:true,来解决了这个问题。我相信这启用了secure:true所需的SSL通信。
1

首先尝试使用cookieParser,然后启用cors -我真的不明白为什么,但我相信在express中顺序很重要。之后尝试注入会话"app.use(injectSession)",在这里您可能需要调整会话配置代码以适应此样式。我认为您不需要在session-config文件中再次导入cookieParser,也许它会覆盖您之前的配置。

谢谢!我一定会尝试的。 - gustavo.jordao021
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接