Solve the cross domain problem of the new version of chrome: Cookie loss and samesite attribute problem "recommended collection"

Hello everyone , I meet you again , I'm your friend, Quan Jun .

Recently, when using front and back-end separation development , Encountered a strange problem , Set cross domain anyway , From the same page session Always inconsistent .

Find the problem ：

The front and back ends of the login interface are separated ,ajax Error submitting login Verification code interface and login interface session atypism （ Cross-domain problem ） Search the Internet for cross domain issues , To reset , The problem remains.

Troubleshooting ：

ajax allow cookie（ Have been set xhrFields: { withCredentials: true} ） springboot Tried to set up a variety of cross domain methods （springboot To solve the cross domain ）

In depth analysis ：

Use other browsers (firefox, ie),session But it's the same

contrast chrome and firefox Request headers and response headers ：

firefox： After the first request , Server return sessionId after , After each request cookie They'll bring sessionId. chrome： The request header never carries sessionId, Even the whole cookie All is empty , As a result, the server cannot accept sessionId, It's reassigned every time One individual session.

Explore solutions : Set... In the configuration class SameSite=null:

@Configuration
public class SpringSessionConfig { 
   
	@Bean
	public CookieSerializer httpSessionIdResolver() { 
   
		DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
		...
		cookieSerializer.setSameSite(null);
		...
	}
}

Be careful , If your project is not done session Distributed management , You may need to introduce the following dependencies to use the above class . As for the difference Chrome For the issue of version number, please refer to this article ： About solving Chrome In the new version cookie Cross domain carrying and samesite How to deal with the problem

<!-- https://mvnrepository.com/artifact/org.springframework.session/spring-session-core -->
<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-core</artifactId>
    <version>2.1.4.RELEASE</version>
</dependency>

Final solution : When you continue to search for information , Fortunately, I found github On this question ：New cross-site cookie not ‘SameSite’ warning in Chrome

See one of the solutions : Ban chrome samesite. The method is as follows ： 1. stay chrome Open link in ： chrome://flags/#site-isolation-trial-opt-out, Search for samesite

2. Disable the above three options ( Set to disable) Restart after chrome, Problem solving

summary ： Existence is reason ,SameSite Is designed to prevent CSRF attack , Ban SameSite It doesn't actually solve the problem , It's the worst policy . Here is my understanding ,SameSite In order to prevent CSRF attack , Strengthened right cookie Management of , Prevent users from carrying cookie Go to a third-party website , And this involves cross domain issues . However , We can't ask users to disable the new version like us chrome Of SameSite, The current proposal is to header Set in samesite, That is to say response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=None") after , Use https transmission cookie.

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/133162.html Link to the original text ：https://javaforall.cn