最近在写一个点赞功能的页面,采用Ajax异步加载点赞数量,可是调用成功,但是浏览器端不显示cookie信息,这让小编整整弄了三四个小时,最后得知是Ajax的跨域问题,神坑啊~~~~~~~~

首先看一下后端代码,用Tornado框架写的,继承web.py里面的方法,首先先看一下源代码:

def get_cookie(self, name, default=None):
 """Gets the value of the cookie with the given name, else default."""
def set_cookie(self, name, value, domain=None, expires=None, path="/",
 expires_days=None, **kwargs):
 """Sets the given cookie name/value with the given options.
 Additional keyword arguments are set on the Cookie.Morsel
 directly.
 See http://docs.python.org/library/cookie.html#morsel-objects
 for available attributes.
 """
def get_secure_cookie(self, name, value=None, max_age_days=31,
 min_version=None):
 """Returns the given signed cookie if it validates, or None.
 The decoded cookie value is returned as a byte string (unlike
 `get_cookie`).
 .. versionchanged:: 3.2.1
 Added the ``min_version`` argument. Introduced cookie version 2;
 both versions 1 and 2 are accepted by default.
 """
def set_secure_cookie(self, name, value, expires_days=30, version=None,
 **kwargs):
 """Signs and timestamps a cookie so it cannot be forged.
 You must specify the ``cookie_secret`` setting in your Application
 to use this method. It should be a long, random sequence of bytes
 to be used as the HMAC secret for the signature.
 To read a cookie set with this method, use `get_secure_cookie()`.
 Note that the ``expires_days`` parameter sets the lifetime of the
 cookie in the browser, but is independent of the ``max_age_days``
 parameter to `get_secure_cookie`.
 Secure cookies may contain arbitrary byte values, not just unicode
 strings (unlike regular cookies)
 .. versionchanged:: 3.2.1
 Added the ``version`` argument. Introduced cookie version 2
 and made it the default.
 """

详细的实现过程可以看一下源代码的逻辑,这里只简单说一下set_cookie/set_secure_cookie两个方法,主要区别就是value经过 create_signed_value的处理。set_secure_cookie能够防止用户的cookie被伪造。

create_signed_value，得到当前时间，将要存的value base64编码，通过_cookie_signature将 加上name，这三个值加密生成签名。然后将签名，value的base64编码，时间戳用|连接，作为cookie的值。

_cookie_signature，就是根据settings里边的 保密的密钥生成签名返回。

get_secure_cookie，用|分割cookie的value，通过name，原value的base64的编码，时间戳得到签名，验证签名是否正确，正确返回，还多了一个过期时间的判断

如果别人想伪造用户的cookie，必须要知道密钥，才能生成正确的签名，不然通过 get_secure_cookie获取value的时候，不会通过验证，然后就不会返回伪造的cookie值。

好了,介绍完就该踩坑了~~~~

set_cookie后浏览器不显示cookie信息,咋回事这是.......

Ajax也没什么问题啊,好了好了,不卖关子了,哈哈上方法:

Ajax请求

crossDomain: true,//请求偏向外域
xhrFields: {withCredentials: true},//一定要加上这两个请求头

后端代码

self.set_header(name="Access-Control-Allow-Origin", value="http://localhost:63342")
self.set_header(name="Access-Control-Allow-Credentials", value="true")

这里面的Value就是你前端页面的请求地址,也可以设置为*,所有请求地址都可以访问.

好啦,可以啦,哦啦啦...........