Scenario where the problem occurs
Recently, when I use a browser to access a login page, a 302 redirect request keeps happening, and then f12 sees the following warning on the browser's access page.
wrong reason
The reason for the error is: An attempt was made to set a cookie with the "secure" attribute via the Set-Cookie header, but it was not received over a secure connection and was therefore blocked. Because cookies with the "secure" attribute can only be transmitted over secure https connections, the browser blocks this operation.
I checked the access protocol and found that the http protocol address was indeed used. Then check the cookie settings of this interface. This interface is a login-related interface. Fill in the sid and other information into the cookie, and then query and find that the shiro framework has configured it.
shiro.cookie-secure = true
shiro.cookie-secure is one of the configuration options of the Apache Shiro framework, used to control whether the generated cookies should be marked as "Secure". A "Secure" cookie is a secure cookie that can only be sent by the browser when transmitted over an HTTPS connection. This helps ensure that sensitive information is only transmitted over encrypted connections.
When you set shiro.cookie-secure to true, Apache Shiro generates 'Secure' cookies, which means that the browser will only include these cookies when sending requests over an HTTPS connection. Requesting. This increases the security of sensitive data.
Question modification
Just set shiro.cookie-secure to false
shiro.cookie-secure = false
The normal access results are as follows: you can see that the sid under the http protocol has been carried normally
cookie-secure related supplements
servlet
For similar error reasons, you should check the cookie settings. Common settings can be through servlet.
import javax.servlet.http.Cookie;
// 创建一个Cookie
Cookie cookie = new Cookie("myCookie", "cookieValue");
// 设置Secure属性为true,表示这是一个Secure Cookie
cookie.setSecure(true);
// 设置Cookie的其他属性,如路径、域、过期时间等
cookie.setPath("/"); // 设置Cookie的路径
cookie.setDomain(".example.com"); // 设置Cookie的域
cookie.setMaxAge(3600); // 设置Cookie的有效期(秒)
// 将Cookie添加到HTTP响应中
response.addCookie(cookie);
If you want to access via http, you need to set cookie.setSecure(false);
springSecurity
Spring Security also provides similar configuration options to control the security attributes of generated cookies. Configuring cookie-related attributes in Spring Security usually involves the Remember-Me function and Session management. The following is an example that shows how to configure the secure attribute of Remember-Me Cookie:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.rememberMe()
.key("my-remember-me-key") // 设置Remember-Me Cookie的密钥
.rememberMeCookieName("remember-me-cookie") // 设置Remember-Me Cookie的名称
.tokenValiditySeconds(3600) // 设置Remember-Me Cookie的有效期
.useSecureCookie(true); // 设置Remember-Me Cookie是否为安全Cookie
}
}
For normal access, you need to set .useSecureCookie(false);
In short, for this problem, you need to find something related to cookie settings.