Future chrome80 default (SameSite: lax) in the case of cross-domain requests are not allowed to carry cross-domain cookie to back-end, lead to the use cookie to authenticate all cross-domain scenario services will be affected.
The site can choose to explicitly close SameSite property, set it to None. However, the prerequisite is to set the Secure property at the same time (Cookie can only be sent via HTTPS protocol), otherwise invalid.
But SameSite set to None, it is difficult to ensure that the non-chrome browser must be compatible, so based on the consideration of compatibility there are two options:
1. Using two cookie has a cookie, for example, the original implanted session-id = xxxxx, can be maintained unchanged, then additional species into another cookie session-id-2 = xxxxx SameSite characteristics set to none secure: true. This is compatible with all older versions of the new browser. This requires determining when the rear end of the acquisition session-id does not exist, then take the value cookie session-id-2 of
2.JWT scheme, unify the token on the header of the authorization, there is no cross-domain cookie carrying the troubled
The first embodiment mainly in that the rear end of the adapter, do not change the basic front end, the front and rear ends of the second embodiment needs to do some transformation, as the case may