Problem description

Since the login page of the company system is a separate project, after each login (now 39.xxx), we need to jump to Localhost for development. However, after several days of happy development, the login of Localhost cannot be stopped.

solution

  1. First check whether the front-end problem has obtained cookies

    Each time the front end gets a new cookie (the back end thinks you’re logging back in), localHost doesn’t get the cookie from the login page in the first place

  2. Check whether the backend is modified

    No changes were made upon inquiry

  3. Use postman to test whether the backend login works

    As a result, login or so, thinking in this card for a long time

Reverse thinking

Why was it possible to get cookies by toggling localhost?

Switching to localhost requires passing the SID to the back end to verify that I am currently logged in, while the front end does this by sending 39.xxx/… /login requests to authenticate the login and bring the current cookie to the back end.

If the user attempts to authenticate the login to localhost, the cookie is available.

Question why

Chrome 80 has changed the SameSite default. SameSite determines whether cross-site requests can be made (using third-party cookies or not). SameSite properties:

  • Strict: strictest. Third-party cookies are prohibited. Cookies must be co-located or self-localized

  • Lax (default for Google Browser after 80) : Also don’t send third-party cookies in most cases, except for GET requests

  • None: Allows cross-site access to cookies (the value we expect)

    Why was this change made? The guess is that Google has fined users too much for privacy, because we can learn a lot about users through third-party cookies (you can search the keywords of third-party cookies if you are interested), and other browsers have reportedly already disabled third-party cookies (freedom).

    Why did you suddenly fail to log in? Either Google’s browser updates automatically, or Google’s greyscale updates allow users to make small changes (search greyscale releases if you’re interested).

The solution

  • Browser closing restrictions (local only)

    SameSite by default cookies and cookies without SameSite must be secure 3. Set the above two items to DisableCopy the code
  • SameSite set to None(for single sign-on and not in the SameSite)

    We need to set SameSite to None, after which the back end also needs to change the request to HTTPS, and the front end needs to set Secure (only over HTTPS connections, not HTTP connections).

    response.setHeader(name: "Set-Cookie", value: "id=xxxx; Path=/; SameSite=None; Secure")Copy the code

conclusion

When we find a problem, we need to think about how it works and then analyze it according to the rules.

expand

If you want to know more about cookies, please talk about cookies.