SSL 和跨多个域的身份验证
我正在使用 Ruby on Rails 构建一个应用程序,它允许用户注册并创建自己的子域:
joebloggs.myapp.com
因此,至少我需要一个通配符 SSL 证书来处理用户传递敏感数据(身份验证、付款等)的情况。
此外,我们允许想要将自己的域映射到他们的帐户的用户,例如:
www.joebloggs.com
这突然造成了巨大的头痛。我假设不存在用于此目的的 SSL 产品(即可能在无限的域上使用)?
该应用程序本质上是一个 CMS,因此它有一个面向公众的网站和一个管理后端。面向公众的网站端必须能够映射到用户的域,这一点至关重要。但是,我不太关心管理区域,并且很乐意强制用户通过子域登录并管理他们的网站。
然而,虽然对于网站的大部分内容来说,用户是否登录并不重要,但我确实希望能够知道用户是否登录,以便我可以为登录用户提供略有不同的内容。我假设这会给我带来一个问题,因为 cookie 不能在多个域上使用(或者可以吗?)。我正在使用 Authlogic 进行身份验证。
所以真的,我只是想知道是否有人遇到过这样的情况?如果是这样,您采取了什么方法来解决这里的几个问题?
I am building an app with Ruby on Rails which allows users to sign up and create their own subdomain:
joebloggs.myapp.com
So at the very least I need a wildcard SSL certificate to handle when users are passing sensitive data (authentication, payment etc).
In addition, we are allowing users who want to, to map their own domain to their account, like:
www.joebloggs.com
Which all of a sudden creates a massive headache. I'm assuming no SSL product exists to serve this purpose (ie, potentially be used over unlimited domains)?
The app is essentially a CMS, so it has a public facing website, and a admin back end. It is essential that the public facing website side of things has the facility to be mapped to the user's domain. However, I'm less concerned about the admin area and would quite happily force users to log in and administer their site via their subdomain.
However, whilst for the majority of the website it does't really matter whether the user is logged in or not, I DO want to be able to know whether the user is logged in so I can serve up slightly different content to logged in users. I'm assuming this is going to cause me a problem because the cookie can't be used over multiple domains (or can it?). I'm using Authlogic for authentication.
So really, I'm just wondering if anyone has come across a situation like this before? If so, what approach have you taken to get round the several issues here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这可能无法解决您的问题。但你的问题已经过去 6 个小时了,没有得到答复,所以我想我应该提出一些替代想法。也许它会激发其他读者的一些创造力。 :)
这些是按照我个人认为的解决方案的简洁程度排序的。
始终拥有子域,即使用户拥有自己的子域
按照您的示例,您可以在
www.joebloggs.com上专门提供静态页面,并使用链接到joebloggs.myapp 的登录链接.com。如果用户已经登录,则可以跳过实际的登录步骤,因为此时 cookie 可用。这将要求所有用户都有一个子域,即使他们指定了自己的域。
提供静态页面,并使用跨站点 AJAX
有一个相对较新的草案标准,称为跨域资源共享,允许跨域的AJAX请求。 Firefox 从 3.5 版开始支持它,并且在 Mozilla 开发者中心。
除了 Firefox 3.5 之外,IE 8 似乎也支持此功能。较新版本的 Chrome 和 Safari 也支持此功能,但我无法确定是从哪个版本开始的。 (Webkit 变更集#41046。)我找不到任何关于 Opera 的明确信息。
另请注意,非 GET 请求具有“飞行前”请求的额外开销。
使用 iframe 提供动态部分
Iframe 可以通过一些 CSS 很好地隐藏,并使其无缝地显示在页面上。您可以使用指向
myapp.com的 iframe 来提供页面的动态部分。例如,如果动态部分只是带有一些帐户信息和链接的页面标题的一部分,那么这将相当有效。如果您计划根据用户的权限隐藏内容,则可以将页面的整个内容区域作为 iframe 提供服务。
缺点是某些浏览器可能会抱怨混合的普通内容和安全内容。
经典的隐藏在不可见框架后面的技巧
许多过去托管在 Geocities 等平台上的网站曾经拥有那些免费的
.tk域名,这些域名将网站“隐藏”在漂亮的 URL 后面在地址栏中。诀窍在于.tk域提供一个带有不可见框架的框架集,以及覆盖所有窗口的另一个框架,该框架将为 Geocities 站点提供服务。当然,这丑陋,但我不得不提一下。这意味着地址栏不会随着您网站上的链接导航而更新,并且将始终显示根 URL。它还忽略了拥有单独域的许多可能的优势。它甚至可能具有与之前的 iframe 技巧相同的缺点。
This may not be an answer to your problems. But your question has gone 6 hours without an answer, so I thought I'd pitch in with a couple of alternative ideas. Perhaps it will spur some creativity in other readers' minds. :)
These are sorted in the order of how neat a solution I personally think they are.
Always have a subdomain, even if the user has his/her own
Following your example, you could serve exclusively static pages on
www.joebloggs.com, with login links that link tojoebloggs.myapp.com. If a user is already logged in, the actual login step can be skipped because cookies are then available.This would require all users to have a subdomain, even if they specify their own domain.
Serve static pages, and use cross-site AJAX
There's a relatively new draft standard called Cross-Origin Resource Sharing, which allows AJAX requests across domains. Firefox supports it as of version 3.5, and there are some more readable (than a W3 spec) examples of how this works in practice over at the Mozilla Developer Center.
Besides Firefox 3.5, this appears supported in IE 8. It's in newer versions of Chrome and Safari, but I can't pinpoint since which version. (Webkit changeset #41046.) I can't find anything definitive about Opera.
Also note that non-GET requests have the extra overhead of a 'pre-flight' request.
Serve dynamic parts with an iframe
Iframes can be well hidden with some CSS, and made to appear seamlessly on the page. You could serve up the dynamic parts of your page using iframes that point to
myapp.com. This would work reasonably well if the dynamic part is just a slice of the page header with some account info and links, for example.If you plan on hiding content based on the user's privileges, you could take this as far as serving the entire content area of the page as an iframe.
Downside is that some browsers might complain about mixed plain and secured content.
The classic hide-behind-an-invisible-frame trick
Lots of sites that used to be hosted on platforms such as Geocities used to have those free
.tkdomains that 'hide' the site behind the pretty URL in the address bar. The trick was that the.tkdomain served a frame-set with an invisible frame, and another frame covering all of the window, which would serve the Geocities site.This is ugly, of course, but I had to mention it. It means that the address bar will not update with link navigation on your site, and will always show the root URL. It also neglects a lot of possible advantages for having a separate domain. And it may even have the same downside as the previous trick with iframes.