search

axios / axios

Promise based HTTP client for the browser and node.js
https://axios-http.com
MIT License
105.33k stars 10.84k forks source link

Can't trigger X-XSRF-TOKEN header to be sent with a POST #1838

Closed ghenry closed 4 years ago

ghenry commented 5 years ago

Summary

Can't trigger X-XSRF-TOKEN header to be sent with a POST:

https://stackoverflow.com/questions/52863990/x-xsrf-token-header-with-axios

Context

ghenry commented 5 years ago

Do I have to set anything to send X-XSRF-TOKEN header if I set a XSRF-TOKEN cookie server side?

https://github.com/axios/axios/blob/master/lib/defaults.js#L74 https://github.com/axios/axios/blob/master/dist/axios.js#L1072

It reads like I don't, but I'm not seeing one go out.

I'll add that I have set withCredentials to true, so I do meet the first check in the OR:

var xsrfValue = (config.withCredentials || isURLSameOrigin(config.url)) && config.xsrfCookieName ?
            cookies.read(config.xsrfCookieName) :
            undefined;

          if (xsrfValue) {
            requestHeaders[config.xsrfHeaderName] = xsrfValue;
}

so if config.xsrfCookieName is a default.....

Update:

So, my OPTIONS preflight CORS is working, as is the POST now, but no X-XSRF-TOKEN being sent.

methods: {
    onSubmit(e) {
      this.axios
        .post(
          e.target.action,
          { data: this.form },
          {
            withCredentials: true,
            xsrfCookieName: "XSRF-TOKEN",
            xsrfHeaderName: "X-XSRF-TOKEN"
          }
        )
        .then(res => {
          console.log(res)
        })
        .catch(err => {
          this.errors.push(err)
        })
    }
  }

Thanks.

ghenry commented 5 years ago

Should I have to set these config items if they are already default?

ghenry commented 5 years ago

Any one have any ideas?

ghenry commented 5 years ago

No one?

seonixx commented 5 years ago

Did you end up resolving this?

ghenry commented 5 years ago

Not yet. Will be back on this soon when we make https://www.surevoip.co.uk/mobile live.

Tu-Szu-Chi commented 5 years ago

If xsrfCookieName = 'session'

var match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));

@ghenry

I log match result (In lib/helpers/cookies Ln:35) and got the null. The problem is... my session is httpOnly in cookie, document.cookie can't find it.

ghenry commented 5 years ago

So this only works with https?

ghenry commented 5 years ago

Still got this issue.

pascalboucher commented 4 years ago

Hi @ghenry

For me, that solved it.

https://github.com/axios/axios/issues/876#issuecomment-309871930

Hope it can help!

chinesedfan commented 4 years ago

Besides of withCredentials as @pascalboucher mentioned, you may check whether they are HttpOnly or Secure, and scopes of cookies. Read more in MDN about which kind of cookies can be Javascript accessed. Closed due to not an issue of axios.