是否可以为您自己以外的站点/服务器设置 cookie?
这是我的问题的快速版本:
当 cookie 用于不同的服务器(在本例中为 Exchange 邮件服务器)时,是否可以以某种方式将 cookie 设置到客户端的浏览器中? 在这种情况下,尝试设置 cookie 的服务器位于“intranet.myschool.edu”,交换服务器位于“owa_server.myschool.edu”。
这是完整的问题:
我有一个 php 脚本,它使用 cURL 向启用了基于表单的身份验证的 Exchange 服务器发出 HTTP POST。
当我成功进行 HTTP POST(其中包括发布的 url 中的用户/密码)时,Exchange Server(或更具体地说,https://my.school.edu/exchweb/bin/auth/owaauth.dll 文件)输出 cookie。 具体来说,它输出“sessionid”和“cadata”id。
将这些 cookie id 写入服务器上的文本文件后,cURL/PHP 可以引用它,然后从 Exchange/OWA 服务器请求数据(通过 webdav 等)。
那部分有效。 我现在想要解决的问题是将 cookie id 传递给客户端浏览器,以便他们可以使用这些 cookie id 自动登录到他们自己的 OWA 帐户。
本质上,我希望我们的用户使用他们的 Active Directory ID 登录我们的 Intranet,并查看他们最近的电子邮件的快照。 然后,如果他们需要,我会给他们一个小链接以切换到完整的 OWA Web 应用程序。 当发生这种切换时,我不希望他们必须手动登录 OWA。 由于他们已经在内联网前端提交了 Active Directory 用户名和密码,因此我希望他们能够自动登录到 OWA。
我应该指出,使用 Windows 身份验证来尝试进行单点登录是不可能的,因为我们混合使用 Mac OS、Windows 和 Linux。
我原以为我能够执行“setcookie”并分配 cURL 获取的 cookie id 并将它们放入客户端浏览器中。
这不可能吗? 是否不可能通过这种方式“欺骗”Exchange/OWA(或任何其他站点)? 我有 cURL 捕获的合法 cookie ID。 有没有办法将这些传递到另一台计算机上的客户端浏览器?
在最坏的情况下,使用 Javascript 将用户名和密码自动粘贴到 OWA 登录页面是我唯一的希望吗? 有人对如何避免 Exchange/OWA 的双重登录问题有任何其他想法吗?
感谢您提供的任何帮助!
Here's the quick version of my question:
Is it possible to set a cookie somehow into a client's browser when the cookie is for use with a different server (in this case an Exchange mail server)? In this scenario the server trying to set the cookie is at "intranet.myschool.edu" and the exchange server is at "owa_server.myschool.edu".
Here's the full question:
I have a php script that uses cURL to make an HTTP POST to our Exchange server that has Forms Based Authentication enabled.
When I make a successful HTTP POST (which includes the user/pass in the posted url), the Exchange Server (or more specifically, the https://my.school.edu/exchweb/bin/auth/owaauth.dll file) outputs cookies.
Specifically, it outputs a "sessionid" and a "cadata" id.
With these cookie ids written to a text file on the server, cURL/PHP can reference it and then request data (via webdav and such) from the Exchange/OWA server.
That part works.
The problem I'd like to solve is now passing the cookie ids to a clients browser, so that they can use these cookie ids to auto-login to their own OWA account.
In essence I would like our users to log into our intranet with their Active Directory IDs, and see a snapshot of their recent emails. Then, if they need to, I'd give them a little link to switch over to the full OWA web application. When this switch happens, I don't want them to have to login to the OWA manually. Since they already submitted their Active Directory UserName and password at the front of the intranet, I'd like them to be auto-logged into the OWA.
I should note that using Windows Authentication to try to do single sign on is not possible since we have a mix of Mac OS, Windows, and Linux.
I had thought that I would be able to do a "setcookie" and assign the cookie ids that cURL got and put them into the clients browser.
Is this not possible? Is it not possible to "spoof" Exchange/OWA (or any other site) this way.
I have legitimate cookie ids that cURL captured. Is there no way to pass these to a client browser on a different computer?
In a worst case scenario, would using Javascript to just auto paste the username and password into the OWA login page be my only hope?
Does anyone have any other ideas on how to avoid my double login problem with Exchange/OWA?
Thanks for any help provided!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
来自 RFC 2965(NB HDN =“主机域名)
因此,使用
.myschool.edu作为域名应该可以。 NB领先。 是必不可少的From RFC 2965 (NB HDN = "host domain name)
So using
.myschool.eduas the domain should work. NB the leading . is essential您也许能够设置域部分为“.myschool.edu”的 cookie。 理论上,然后将其发送到“myschool.edu”子域下托管的任何其他网站。
但实际上,您的客户端软件可能会认为 cookie 的范围太宽,并拒绝将其发回。
You may be able to set a cookie with a domain part of '.myschool.edu'. In theory that's then sent to any other site hosted under a subdomain of 'myschool.edu'.
In practise however, your client software may decide that the cookie's scope is too wide, and refuse to send it back.
我认为如果可能的话这将是一个严重的安全漏洞......
I think this would be a serious security loophole if it were possible...
你应该能够做到这一点。
我在我的网站上执行此操作(为了示例的目的,我将更改名称):
我有一个 Web 应用程序,网址为
webapp.domain.com
当用户登录时,我设置了 cookie PunBB 论坛包位于:
forum.domain.com
通过设置/清除 PunBB 论坛 cookie,我可以自动登录/注销我的用户的论坛帐户,以方便使用(当然假设注册是同步的,在我的例子中,我删除了论坛注册,主站点注册为用户创建了论坛帐户)。
您需要做的就是在 subdomain#1 中将 cookie 路径设置为 "/" (默认值),并将 cookie 域设置为“domain.com”。 然后您的 subdomain#2 中的应用程序应该会看到 cookie。
编辑:我看到 barrowc 已经回答了,我在一些示例中看到了“.domain.com”模式,我的网站使用“domain.com”作为 cookie 域,它也可以工作(也许 php如果缺少的话 set_cookie 添加前导点?)
You should be able to do that.
I do this on my site (which I will change the names for the purpose of the example):
I have a web app at url
webapp.domain.com
And when users login, I set the cookie of the PunBB forum package which is at:
forum.domain.com
By setting/clearing the PunBB forum cookie, I can automatically login/logout my users on their forum account for convenience (this of course assumes that the registrations are syncrhonized, in my case I removed the forum registration and the main site registration creates the forum account for the user).
All you need to do is in subdomain#1 to set the cookie path to "/" (the default), and set the cookie domain to "domain.com". Then your app in subdomain#2 should see the cookie.
EDIT: I see barrowc has answered, I've seen the ".domain.com" pattern in some examples, my site uses "domain.com" for the cookie domain and it works too (maybe php set_cookie adds the leading dot if missing?)
你的浏览器可以决定......但通常不,你不能。 这被认为是 XSS 漏洞的一种。
Your browser gets to decide that... but usually no, you cannot. That is considered a type of XSS vulnerability.
您可以使用 iframe 来设置 cookie,即。 您的 Web 服务器上有一个 iframe,它向 Exchange http 服务器上的页面发出请求 (https://my .school.edu/exchweb/),将您想要的 cookie 变量设置为 get 或 post 变量。 然后使用 vars 设置该域的 cookie,并将用户重定向到交换服务器。
现在,OWA 后端可能有逻辑检查 ip 地址、用户代理等...在注册会话时可能会使其无效...不确定
you could use an iframe to set the cookie, ie. have an iframe on your web server that makes a request to a page on your exchange http server (https://my.school.edu/exchweb/) with your wanted cookie vars set as get or post variables. then use the vars to set the cookie for that domain, and redirect the user to the exchange server.
now, there could be logic on the backend of OWA that checks ip address, user agent, etc.... when registering the session that may invalidate this..... not sure
几个月以来,我们一直在努力解决这个问题,我们能想到的最好办法就是允许 Web 服务器在每次登录时获取 Exchange 的 cookie。 问题是,如果没有 cookie 亲和性,我们就无法确保 Web 服务器获取的 cookie 来自客户端连接的同一负载平衡节点。
We've been fighting this one hard for months, the best we can come up with is allowing the web server to get the cookie for Exchange at EVERY LOGIN. problem is, that without cookie affinity, we don't have a way to make sure that the cookie obtained by the web server came from the same load balanced node that the client connects to.