admin管理员组文章数量:1279178
I'm using auth0/angular2-jwt library to append the JWT on each request.
I'd like to know how can I also add the JSESSIONID cookie on each request too so I hit the server side session?
Is this a good practice?
I've tried this with no success
let myHeader = new Headers();
myHeader.append('SET-COOKIE', 'JSESSIONID=<jsessionid>');
this.authHttp.get(endpoint, {headers: myHeader, withCredentials: true}).map(res => res.json()).subscribe(
jwt => {
...
},err => console.log(err));
I'm using auth0/angular2-jwt library to append the JWT on each request.
I'd like to know how can I also add the JSESSIONID cookie on each request too so I hit the server side session?
Is this a good practice?
I've tried this with no success
let myHeader = new Headers();
myHeader.append('SET-COOKIE', 'JSESSIONID=<jsessionid>');
this.authHttp.get(endpoint, {headers: myHeader, withCredentials: true}).map(res => res.json()).subscribe(
jwt => {
...
},err => console.log(err));
2 Answers
Reset to default 9Is it good practice?
No, it is not good practice.
From the JWT docs:
In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie.
Reference: https://jwt.io/introduction/https://jwt.io/introduction/
JSESSIONID
You need to know that there are multiple types of cookies stored in browser. Many of them can be accessible from JS code, but some of them are httpOnly. This means that browser is able to append them on every request transparently to the JS code (you will not see the cookie in your code). Default implementation of JSESSIONID on server side is the example of httpOnly cookies. There are multiple security reasons for such kind of design - JS malware on your page will not be able to steal session from the client.
Headers
myHeader.append('SET-COOKIE', 'JSESSIONID=<jsessionid>');
This is not valid way to pass cookies to server. This is correct way to send response to client and set cookies on the client. If you want to pass cookies, you can use:
myHeader.append('Cookies', 'JSESSIONID=<jsessionid>');
Still, this will not work. Browser will append its own anyway.
That saying, JSESSIONID should be appended automatically to your requests by the browser. If this does not work this way, the JSESSIONID cookie is not set in the browser (Check chrome developer tools, you can view cookies in application tab) or you are using remote server - on different port/server/protocol than your app (then the CORS es in and ruins your app in this case).
Easiest Solution
constructor(public restProvider: RestProvider) { }
intercept(request: HttpRequest<any>, next: HttpHandler):
Observable<HttpEvent<any>> {
if (this.restProvider.getToken() != null) {
const clonedRequest = request.clone({
headers: request.headers.set('X-Requested-With', 'XMLHttpRequest')
});
}
}
本文标签: javascriptAngular2 SetCookie JSESSIONID in HTTP requestsStack Overflow
版权声明:本文标题:javascript - Angular2 Set-Cookie JSESSIONID in HTTP requests - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741247316a2365127.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论