如何从 Ajax 调用修改 Cookie

2022-01-15 00:00:00 cookies xmlhttprequest javascript

我有这个代码:

window.onload = function() {
        document.cookie = 'foo=bar; expires=Sun, 01 Jan 2012 00:00:00 +0100; path=/';
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "/showcookie.php",true);
        xhr.setRequestHeader("Cookie", "foo=quux");

        xhr.setRequestHeader("Foo", "Bar");
        xhr.setRequestHeader("Foo", "Baz");

        xhr.withCredentials = true;
        var pre = document.getElementById('output');
        xhr.onreadystatechange = function() {
            if (4 == xhr.readyState) {
                pre.innerHTML += xhr.responseText + "
";
            }
        };
        xhr.send(null);
    };

还有这个/showcookie.php

and this /showcookie.php

<?php

print_r($_COOKIE);

?>

它总是显示

Array
(
    [Host] => localhost
    [User-Agent] => 
    [Accept] => 
    [Accept-Language] => pl,en-us;q=0.7,en;q=0.3
    [Accept-Encoding] => gzip,deflate
    [Accept-Charset] => ISO-8859-2,utf-8;q=0.7,*;q=0.7
    [Keep-Alive] => 115
    [Connection] => keep-alive
    [foo] => Baz
    [Referer] =>
    [Cookie] => foo=bar
)

Array
(
    [foo] => bar
)

我在 Ubuntu 上使用 Firefox 3.6.13、Opera 11.00 和 Chromium 9.0.

I'm using Firefox 3.6.13, Opera 11.00 and Chromium 9.0 on Ubuntu.

有没有人有同样的问题,或者无法修改 Cookie 标头.

Is anybody have the same problem or maybe it's impossible to modify Cookie header.

推荐答案

Cookie 标头是 XMLHttpRequest 中无法修改的几个标头之一.来自规范:

The Cookie header is one of several which cannot be modified in an XMLHttpRequest. From the specification:

终止[执行setRequestHeader方法]如果header是一个不区分大小写的匹配项之一以下标题:

Terminate [execution of the setRequestHeader method] if header is a case-insensitive match for one of the following headers:

  • 接受字符集
  • 接受编码
  • 连接
  • 内容长度
  • Cookie
  • Cookie2
  • 内容传输编码
  • 日期
  • 期待
  • 主持人
  • 保持活跃
  • 推荐人
  • TE
  • 预告片
  • 传输编码
  • 升级
  • 用户代理
  • 通过

... 或者如果标题的开头是代理的不区分大小写匹配 - 或Sec- (包括当标题只是Proxy-或Sec-).

… or if the start of header is a case-insensitive match for Proxy- or Sec- (including when header is just Proxy- or Sec-).

以上标题由用户代理让它控制那些运输方面.这保证数据完整性在一定程度上.标题以 Sec- 开头的名称不是允许设置为允许新标头保证不会被铸造来自 XMLHttpRequest.

The above headers are controlled by the user agent to let it control those aspects of transport. This guarantees data integrity to some extent. Header names starting with Sec- are not allowed to be set to allow new headers to be minted that are guaranteed not to come from XMLHttpRequest.

相关文章