跨域cookie访问(或会话)
虽然我意识到这通常与跨站点脚本攻击有关,但我想知道会话如何在属于单个域的多个子域中保持有效(例如:用户仅登录一次,并且能够访问这两个域) subdomain1.domain.com 和 subdomain2.domain.com 具有相同的会话)。 我想我首先需要了解它是如何工作的,但到目前为止我还没有找到任何相关的内容。
但话又说回来,也许我没有问正确的问题。
提前致谢 :)
While I realise that this is usually related to cross site scripting attacks, what I'm wondering is how can a session remain valid throughout multiple subdomains belonging to a single domain (example: a user logging in only once, and being able to access both subdomain1.domain.com and subdomain2.domain.com with the same session). I guess I first need to understand how it works, but so far I haven't been able to find much that would be of any relevance.
But then again, maybe I wasn't asking the right question.
Thanks in advance :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
默认情况下,站点的所有 cookie 都一起存储在客户端上,并且所有 cookie 都会随对该站点的任何请求发送到服务器。 换句话说,站点中的每个页面都会获取该站点的所有 cookie。 但是,您可以通过两种方式设置 cookie 的范围:
您可以了解更多信息 此处。
By default, all cookies for a site are stored together on the client, and all cookies are sent to the server with any request to that site. In other words, every page in a site gets all of the cookies for that site. However, you can set the scope of cookies in two ways:
You can learn more here.
关于为域设置 cookie 以允许子域接收该 cookie 的注释为您提供了这一点,但缺少的是会话的一致性。
我认为这非常类似于在场中跨服务器维护状态的问题,解决方案可能是确保会话存储在两个站点之间保持一致(如果它们不是来自 IIS 中同一“网站”的服务器)。 您可以将会话存储移至 SQL Server(如何:配置 SQL Server 以存储 ASP.NET 会话状态< /a>) 这可能会达到目的,因为每个站点在查找与它们所提供的 cookie 相关的会话数据时都会查询同一商店。
我希望这能让你走上正轨。
The comments about the cookie being set for the domain to allow subdomains to receive that cookie give you that side but what's missing is the consistency of session.
I think this is very much like the problem of maintaining state across servers in a farm and the solution is probably to ensure that your session store is consistent across both sites (if they are not server from the same 'web site' in IIS). You can move the Session store into SQL Server (HOW TO: Configure SQL Server to Store ASP.NET Session State) which would probably serve the purpose as each site would query the same store when looking for the session data related to the cookie they've been presented with.
I hope that gets you on the right track.
如果您有能力设置公共子域,则可以执行以下操作:
在您的子域 html 文件中,在顶部包含一个 javascript 文件,如下所示:
在 check.asp 中,查找 returned_in cookie,如果不存在,则显示页面说, http://common.domain.com/login.asp 使用类似
Once 的 内容一个人提交用户名密码,将其提交回相同的login.asp并设置会话cookie(将在common.domain.com域中设置),然后重定向到
http://subdomain1.domain.com。现在将发生的是,将调用嵌入的“common.domain.com/check.asp”,并且浏览器将随请求一起发送 common.domain.com 的 cookie。 因此,即使您位于 subdomain1.domain.com,您也会知道您的会话是否有效。
If you have the ability to set up a common subdomain, you can do this:
In your subdomain html files, include a javascript file at the top like this:
In check.asp, look for your logged_in cookie and if not present, show a page say, http://common.domain.com/login.asp using something like
Once a person submits username password, submit it back to the same login.asp and set the session cookie, (which will be set in common.domain.com domain) and then redirect to
http://subdomain1.domain.com.What will happen now is, a call will be made to the embedded "common.domain.com/check.asp", and cookies for common.domain.com will be sent by the browser along with the request. So you will know whether your session is valid or not, even when you are in subdomain1.domain.com.
您可以为特定域设置 cookie。
在php中,setCookie()方法包含一个参数,您可以在其中指定顶级域,所以cookie对所有子域都有效。 根据您的标签,我发现您正在使用 asp.net。 也许这也存在于asp...
在稍微搜索一下asp之后:
试试这个:
或者阅读这个
You can set a cookie for a specific domain.
In php, the setCookie() method contains a parameter in which you can specify the top-level domain, so the cookie is valid for all subdomains. Based on your tags, I see you are working in asp.net. Probably this also exists for asp...
after a little search for asp:
try this:
or read this
这是一个有效的解决方案:
http://anantgarg。 com/2010/02/18/cross-domain-cookies-in-safari/
Here is a solution which works:
http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/
Inproc 会话无法保持有效,但是您可以对 Web 应用程序进行编码以允许 cookie 跨多个子域。 您需要将域设置为:
记住句点。
Inproc sessions cannot remain valid, however you can code your web application to allow cookies across multiple subdomains. You will need to set the domain equal to:
Remember the period.
有很多方法可以跨域共享会话数据或 cookie 数据。 最简单的是通过共享数据存储在服务器端共享。 但如果这么简单的话你就不会问这个问题了。
另一种方法也同样简单。 域
one.com包含一些会话数据,例如name=aleem和id=123,并希望将其传递给two。 com。 它将遵循以下步骤:two.com/api/?name=aleem&id=123two.com通过查询参数获取数据时,它 会执行以下操作:使用数据创建一个 cookie。 该 cookie 将存储在two.com域下。two.com将重定向回REFERER,在本例中恰好是one.com这是一个简化的场景。 域
two.com需要能够信任one.com,不仅如此,它还需要知道请求是真实的,而不仅仅是由用户制作的,因此您需要使用公钥/私钥来缓解这种情况。There are quite a few ways to share session data or cookie data across domains. The simplest is to share it on the server side through a shared data store. But you would not be asking this question if it were that easy.
The other way to do this is equally simple. The domain
one.comcontains some session data sayname=aleemandid=123and wishes to pass this along totwo.com. It will follow these steps:two.com/api/?name=aleem&id=123two.comgets the data via query parameters, it creates a cookie with the data. This cookie will be stored under thetwo.comdomain.two.comwill then redirect back to theREFERERwhich in this case happens to beone.comThis is a simplified scenario. The domain
two.comneeds to be able to trustone.comand not only that but it needs to know that the request is authentic and not just crafted by the user so you need to use public/private keys to mitigate this.