php - XHR2 file upload to subdomain token mismatch in Laravel5.1/nginx upload module -


i using laravel5.1 both domain.com , upload.domain.com, same script(copy pasted , changed site url in config file).

session domain set .domain.com , on upload.domain.com have added cors headers upload.domain.com , ajax posts work fine, , using database sessions.

i have following nginx config:

location /upload {  add_header access-control-expose-headers accept-ranges; add_header access-control-expose-headers content-encoding; add_header access-control-expose-headers content-length; add_header access-control-expose-headers content-range; add_header accept_ranges bytes;  upload_state_store /tmp; upload_resumable on; add_header pragma no-cache; add_header x-content-type-options nosniff; #add_header cache-control "no-story, no-cache, must-revalidate";  # access control cors { ....}  add_header x-csrf-token $http_x_csrf_token; add_header x-xsrf-token $http_x_csrf_token; upload_set_form_field "_token" $http_x_csrf_token;  client_max_body_size 4096m; upload_pass /internal_upload; upload_pass_args on;  upload_store /storage/uploaded 1; upload_store_access user:r group:r all:r; upload_set_form_field $upload_field_name.name "$upload_file_name"; upload_set_form_field $upload_field_name.path "$upload_tmp_path"; upload_cleanup 400 404 499 500-505;   } 

location /internal_upload {

proxy_pass http://upload.domain.com/fileupload/; proxy_redirect off; proxy_set_header host $host; proxy_set_header x-real-ip $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; 

}

when doing xhr2 requests pass token via header using:

xhr.setrequestheader("x-csrf-token", globalobj._token ); xhr.setrequestheader("x-xsrf-token", globalobj._token ); 

and problem in final step when nginx passes data backend application on subdomain token mismatch exception thrown.

i noticed domain.com sets cookie called x-xsrf-token , uses domain.com domain name , upload.domain.com sets x-xsrf-token token domain name upload.domain.com. normal because both of applications set x-xsrf-token , values not equal, , guess might problem or maybe nginx strips data , passes them backend?

for future references, had send cookie set in main domain along xhr2 request. done changing xhr settings to:

xhr.withcredentials = true; 

Comments

Popular posts from this blog

javascript - gulp-nodemon - nodejs restart after file change - Error: listen EADDRINUSE events.js:85 -

Fatal Python error: Py_Initialize: unable to load the file system codec. ImportError: No module named 'encodings' -

javascript - oscilloscope of speaker input stops rendering after a few seconds -