This is the first day of my participation in Gwen Challenge

The thing is, these days when I’m working on a project, I have a login page, and I need to ask the back-end interface to write cookies to mark the user ID. The browser says the interface is cross-domain, but finds that the cookie was successfully written.

When setting cookies successfully, you must set with-credentials:true. When setting cookies successfully, you must set with-credentials:true. At the same time, set the corresponding access-Control-allow-Origin and access-Control-allow-credentials headers on the backend. But now only the front end is set, the back end is not set CORS header, why cookie is set successfully?

The specific situation is as follows:

1. The cross-domain header is not set on the server

2. The interface response has the corresponding set-cookie part

3. The corresponding cookie is also found in the browser Application

The cookie setting is successful. When the front-end service is set to with-credentials in cross-domain scenarios, set-cookies succeed.

I went to see the introduction of set-cookie on MDN again, mainly talking about how to use set-cookie, which is found in most articles on the Internet. There is no further elaboration and no introduction to cross-domain situations. The CORS section only says that the response cannot be read if the front and back ends are not set to cross domains. Set-cookie is not specified. I read the articles written by others on the Internet, and they are basically the same with minor differences, requiring the front and back ends to set up cross-domain, and nothing to gain.

I talked to my colleague about this problem and asked him if cookies can be set successfully on the back-end without the cross-domain header if only the front-end is set to with-credentials:true. After a lot of thinking, he finally gave me the answer that set-cookie should not be related to whether cross-domain!! Using the IMG tag to request this interface can also set the cookie to succeed, so browser cross-domain only affects whether the front end can get the response, not set-cookie

HMMMM, of course I don’t believe it, after all img default is not cross-domain; In the cross-domain CORS case, if the with-credentials function is not set, set-cookies are ignored


Finally, after unremitting efforts of searching and asking people (HHHHH), I finally found the answer:

If the server is not configured with a CORS cross-domain header, the front-end will not be able to read the server response, but set-cookie will succeed.

conclusion

Set-cookie in cross-domain case:

  1. With the with-credentials:true on the front end, set-cookies succeed even when the CORS header is not set on the back end
  2. When the front-end is not set to with-credentials or false, set-cookie headers are ignored

Finally, for more information on cookie Settings, see another friend’s article