tip-archive icon indicating copy to clipboard operation
tip-archive copied to clipboard
verified publisher icon JaeYeopHan

Cannot contain cookie in request header :(

Open jbee37142 opened this issue 6 years ago โ€ข 0 comments

withCredentials

Problem

Webview์—์„œ Server๋กœ ์š”์ฒญ์„ ๋ณด๋‚ผ ๋•Œ, HTTP header์— Cookie๊ฐ’์ด ํ•จ๊ป˜ ์ „๋‹ฌ๋˜์ง€ ์•Š๋Š”๋‹ค. Cookie storage์—๋Š” ์ž˜ ๋“ค์–ด์™€ ์žˆ๋‹ค.

Situation

  • ์ƒํ™ฉ 1. ๋„๋ฉ”์ธ์ด ๋‹ค๋ฅด๋‹ค.
    • ์„œ๋ฒ„์˜ ๋„๋ฉ”์ธ: api.test.me
    • request๋ฅผ ๋ณด๋‚ด๋Š” ํด๋ผ์ด์–ธํŠธ์˜ ๋„๋ฉ”์ธ: test.me
    • no nginx, no proxy
  • ์ƒํ™ฉ 2. request header์— ์ง์ ‘์ ์œผ๋กœ cookie ๊ฐ’์„ ์„ธํŒ…ํ•  ์ˆ˜ ์—†๋‹ค.
    • HttpOnly ์ฟ ํ‚ค์˜€๊ธฐ ๋•Œ๋ฌธ์—, document.cookie์— ์ ‘๊ทผํ•  ์ˆ˜ ์—†๋‹ค.
  • ์ƒํ™ฉ 3. ์„œ๋ฒ„์—์„œ Set-Cookie๋ฅผ ํ•ด์ฃผ๊ธฐ ์ „์— request header์— cookie๋ฅผ ์„ธํŒ…ํ•ด์•ผ ํ•œ๋‹ค.
    • App์—์„œ ์ฟ ํ‚ค๋ฅผ ์ฃผ์ž…ํ•˜์—ฌ Webview๋ฅผ ๋„์›Œ์ค€๋‹ค.
    • Webview์—์„œ ๋ฐœ์ƒํ•˜๋Š” request header์—๋Š” cookie๊ฐ€ ์„ค์ •๋˜์–ด์•ผ ํ•œ๋‹ค.

Solution

axiosConfig.withCredentials = true

or

fetch({
  credentials: 'include'
})

reference์— ์ฒจ๋ถ€ํ•œ mdn ๋ฌธ์„œ์—์„œ ๋‹ค์Œ๊ณผ ๊ฐ™์ด ๋‚˜์˜จ๋‹ค.

Note: XMLHttpRequest responses from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request, regardless of Access-Control- header values.

๋‘๋ฒˆ์งธ๋กœ ์ฒจ๋ถ€ํ•œ HTML5Rock์˜ ๋ธ”๋กœ๊ทธ ๊ธ€์—๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ๋‚˜์˜จ๋‹ค.

Standard CORS requests do not send or set any cookies by default. In order to include cookies as part of the request, you need to set the XMLHttpRequestโ€™s .withCredentials property to true:

์›น์•Œ๋ชป ์ธ์ฆํ•˜๋ฉฐ ๊ฒธ์†ํ•ด์ง€๋Š” ๋‚ ์ด์—ˆ๋‹ค.

Knowledge

Cookie?

HTTP ์š”์ฒญ์„ ์ˆ˜์‹ ํ•  ๋•Œ, ์„œ๋ฒ„๋Š” ์‘๋‹ต๊ณผ ํ•จ๊ป˜ Set-Cookie ํ—ค๋”๋ฅผ ์ „์†กํ•  ์ˆ˜ ์žˆ๋‹ค. ์ฟ ํ‚ค๋Š” ๋ณดํ†ต ๋ธŒ๋ผ์šฐ์ €์— ์˜ํ•ด ์ €์žฅ๋˜๋ฉฐ, ๊ทธ ํ›„ ์ฟ ํ‚ค๋Š” ๊ฐ™์€ ์„œ๋ฒ„์— ์˜ํ•ด ๋งŒ๋“ค์–ด์ง„ ์š”์ฒญ(Request)๋“ค์˜ Cookie HTTP ํ—ค๋”์•ˆ์— ํฌํ•จ๋˜์–ด ์ „์†ก๋œ๋‹ค.

์ฟ ํ‚ค๋Š”...

  • ๋Œ€๊ฐœ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ ์‚ฌ์šฉ์ž์™€ ๊ทธ๋“ค์˜ ์ธ์ฆ๋œ ์„ธ์…˜์„ ์‹๋ณ„ํ•˜๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉ๋˜๊ณค ํ•œ๋‹ค.
  • ๋‘ ์š”์ฒญ์ด ๋™์ผํ•œ ๋ธŒ๋ผ์šฐ์ €์—์„œ ๋“ค์–ด์™”๋Š”์ง€ ์•„๋‹Œ์ง€๋ฅผ ํŒ๋‹จํ•  ๋•Œ ์ฃผ๋กœ ์‚ฌ์šฉํ•œ๋‹ค.
Set-Cookie: <cookie-name>=<cookie-value>

in Node.js

response.setHeader('Set-Cookie', ['type=ninja', 'language=javascript']);

์ด๋ ‡๊ฒŒ ์ƒ์„ฑ๋˜๋Š” ์ผ๋ฐ˜์ ์ธ ์ฟ ํ‚ค๋ฅผ ์šฐ๋ฆฌ๋Š” ์„ธ์…˜ ์ฟ ํ‚ค๋ผ๊ณ  ๋ถ€๋ฅธ๋‹ค. ์ด๋Š” Chrome Devtools์— ์žˆ๋Š” Storage ํƒญ์˜ Cookie์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

Persistent Cookie

๋ณดํ†ต ์ฟ ํ‚ค๋Š” ํด๋ผ์ด์–ธํŠธ๊ฐ€ ์ข…๋ฃŒ๋˜๋ฉด ์‚ญ์ œ๋œ๋‹ค. ์›น ๋ธŒ๋ผ์šฐ์ €๋Š” ์„ธ์…˜์„ ๋ณต๊ตฌ์‹œํ‚ฌ ์ˆ˜ ์žˆ์œผ๋ฉฐ ์ด ๋•Œ ์ฟ ํ‚ค๋ฅผ ํ•จ๊ป˜ ๋ณต๊ตฌ์‹œํ‚ฌ ์ˆ˜ ์žˆ์œผ๋ฉฐ ์ด ๋•Œ ๋ณต๊ตฌ๋˜๋Š” ์ฟ ํ‚ค๋ฅผ ์˜์†์ ์ธ ์ฟ ํ‚ค๋ผ๊ณ  ํ•œ๋‹ค. Expires๋‚˜ Max-Age๋ฅผ ๋ช…์‹œํ•˜์ง€ ์•Š์œผ๋ฉด ์˜์†์ ์ธ ์ฟ ํ‚ค๊ฐ€ ๋˜๋ฉฐ ์ด ๋‘ ์˜ต์…˜์€ ์„ธ์…˜ ์ฟ ํ‚ค๋ฅผ ์˜์†์ ์ธ ์ฟ ํ‚ค๋กœ ๋ฐ”๊ฟ”์ค€๋‹ค.

Secure, HttpOnly Cookie

Cookie์—๋Š” HTTPS ํ™˜๊ฒฝ์—์„œ๋งŒ Request header์— ํฌํ•จ๋  ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋Š” Secure option์ด ์žˆ๋‹ค. HttpOnly ์˜ต์…˜์€ document.cookie ๋ฅผ ํ†ตํ•ด ์ ‘๊ทผํ•  ์ˆ˜ ์—†๋‹ค.

References

  • https://developer.mozilla.org/ko/docs/Web/API/XMLHttpRequest/withCredentials
  • https://www.html5rocks.com/en/tutorials/cors/

jbee37142 avatar Nov 15 '19 12:11 jbee37142