2015-07-16 08:06 阅读 73


So I have set up a golang rest api. And on login I do this:

session, _ := store.New(r, sessionId)
session.Options.MaxAge = 12 * 3600
err := session.Save(r, w)
//treat error

and for checking the session i have smth like this:

    session, err := store.Get(r, sessionId)
    //treat error
    if session.IsNew {
        http.Error(w, "Unauthorized session.", http.StatusUnauthorized)

If I do the requests from postman it works fine, but when I do them from my client I get 401. Has any of you experienced something like this? The store is a CookieStore.

I already checked the id's, I replaced sessionId variable with a static string. Gorilla session uses gorilla context to register a new request and when I do the request from postman context.data[r] is not null, but from the client it is always null -> always a new session.

https://github.com/gorilla/context/blob/master/context.go - line 33

it is called in

https://github.com/gorilla/sessions/blob/master/sessions.go - line 122

wich is used in the CookieStore.Get function in

https://github.com/gorilla/sessions/blob/master/store.go - line 77

EDIT 1: For the client I use polymer and I tried xmlhttp too. Polymer:


and the handlers

  onResponse: function(response){
    this.items = response.detail.response
  onError: function(error){
  ready: function(){
    this.requestUrl = "http://localhost:8080/api/fingerprint/company/" + getCookie("companyId");
    this.requestHeaders = {"Set-cookie": getCookie("api_token")}

and the cookie successfully reaches the backend.

And xmlhttp:

  var xmlhttp = new XMLHttpRequest();
  xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == XMLHttpRequest.DONE ) {
      if(xmlhttp.status == 200){
        //do stuff
      }else if(xmlhttp.status == 401){

  xmlhttp.open("GET","http://localhost:8080/api/fingerprint/company/" + getCookie("companyId"),true);
  xmlhttp.setRequestHeader("Set-cookie", getCookie("api_token"));


So I tried debugging with fiddler(thanks for the suggestion) and i found out that the request from postman has an bold entry Cookies / Login and the request from the client does not. Any idea how to get/set that value? It is somehow automatically set in Postman. In the authentication request I get a set-cookie header that has all the data that I need but I can't get it on the client. I get Refused to get unsafe header set-cookie.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

2条回答 默认 最新

  • 已采纳
    dsshsta97935 dsshsta97935 2015-07-20 06:07

    The problem is that in the client the requests need to have withCredentials = true and after that the browser deals with everything. It gets the cookie from the set-cookie header and it sends the cookies via the cookie header. So, after all, it was not a gorilla sessions problem.

    点赞 评论 复制链接分享
  • dongni1892 dongni1892 2017-10-12 23:25

    If anyone else is having the same problem I was having and you want to whitelist all domains/wildcards (or have a list of domains in an array you can scan through), you can do something like this.

    domain_raw := r.Host
    domain_host_parts := strings.Split(domain_raw, ".")
    domain := domain_host_parts[1] + "." + domain_host_parts[2]
    domains := getDomains() // stores a slice of all your allowable domains
    has_domain := false
    for _, d := range domains {
        if d == domain {
            has_domain = true
    if has_domain == false {
    } else {
        w.Header().Add("Access-Control-Allow-Origin", "https://"+domain_raw)
        w.Header().Add("Access-Control-Allow-Credentials", "true")

    I love go

    点赞 评论 复制链接分享