1. 首页
  2. 问答
  3. [gogf/gf]g.Client()的SetBrowserMode在登录过程中好像不起作用

[gogf/gf]g.Client()的SetBrowserMode在登录过程中好像不起作用

2024-07-09 286 views
3

go version go1.15.8 windows/amd64

github.com/gogf/gf v1.15.3

使用BrowserMode,服务器返回302ResponseClient获取不到Cookies并保存,redirect时无法保持登录状态。 实现代码:

c := g.Client().SetBrowserMode(true)
r, err := c.Post(zabbixLoginURL, g.Map{
    "name":      User,
    "password":  Password,
    "autologin": "0",
    "enter":     "Sign in",
})

客户端发送POST:

POST /index.php HTTP/1.1
Host: 192.168.126.202
User-Agent: GoFrameHTTPClient v1.15.3
Content-Length: 58
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close

服务器返回的Response

HTTP/1.1 302 Found
Server: nginx
Date: Wed, 03 Mar 2021 02:27:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.11
Set-Cookie: PHPSESSID=8cf0d88a03f1a85ee94edcc63dd5b265; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: zbx_sessionid=36aec56a79ffbcad6d8eb27489f09050; expires=Sat, 03-Apr-2021 02:27:30 GMT; Max-Age=2678400; secure; HttpOnly
Location: zabbix.php?action=dashboard.view
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report
Content-Length: 0

客户端重定向发送的GET

GET /zabbix.php?action=dashboard.view HTTP/1.1
Host: 192.168.126.202
User-Agent: GoFrameHTTPClient v1.15.3
Content-Type: application/x-www-form-urlencoded
Referer: https://192.168.126.202/index.php
Accept-Encoding: gzip, deflate
Connection: close

查看了文档,BrowserMode的说明是“Whether auto saving and sending cookie content.” 如果理解无误,在登录正常时,应该能保存服务器返回的Cookies,并在后续请求中发送已保存的Cookies

djy1121

回答

7

@djy1121 是的,BrowserMode就是你认为的功能,会自动接受服务端返回的Cookie设置到本地对象缓存中并发送Cookie到下一次请求中。这块你可以尝试自己先调试一下。

gqcn

6

经测试 设置c.SetProxy("http://127.0.0.1:8080"),用Burp Suite看交互过程。 试过设置SetDump(true),SetRedirectLimit,SetBrowserMode(true),都不能获取返回码为302的Cookie,只能获取返回码为200的Cookie。

我跟踪了一下代码的执行,到了client_request.go文件里的func (c Client) callRequest(req http.Request)返回的resp已经没有了之前redirect过程的cookie,后续无论用不用SetBrowserMode(true)都无法获取登陆用的cookie

如果不用SetBrowserMode(true),直接使用原生的jar才能正常完成登录交互

c := g.Client()
jar, _ := cookiejar.New(nil)
c.Jar = jar
r, err := c.Post(zabbixLoginURL, g.Map{
    "name":      User,
    "password":  Password,
    "autologin": "0",
    "enter":     "Sign in",
})

djy1121

2

@djy1121 我明白了,那是因为标准库底层的Request对象遇到3xx跳转时直接跳转了,没有走BrowserMode的逻辑。这块可以改进为CookieJar的方式。方便提交一个PR么?

gqcn

5

暂时不方便,我还不清楚提交PR是什么意思,平时只是找资料时才来github看看,没研究过具体功能

djy1121

8

fork->clone->然后开始辛勤的劳动(/滑稽)->push->pull request

LonelySally

3

@djy1121 那我来搞搞

gqcn