域为子域设置cookie
我查看了许多有关 cookie 的问题,但没有找到我的问题的答案。我有以下场景:
用户在 example.com 上创建登录,并且应该获得一个 cookie,但仅限于子域 fuu.example.com。我生成以下 HTTP 标头部分:
Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly
但是当我向 https://fuu.example.com,cookie 将不会添加到请求中。我想知道example.com是否可以为fuu.example.com设置cookie。我知道 example.com 可能为 .example.com 设置了 cookie,也为 example.com 的所有子域设置了 cookie,但事实并非如此我想要什么。
如何为子域设置 cookie?我在对子域的请求中没有看到 cookie。
I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:
A user creates a login on example.com and should get a cookie but only for the subdomain fuu.example.com. I generate following HTTP header part:
Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly
But when I make a request to https://fuu.example.com, the cookie will be not added to the request. I wonder if it is possible that example.com sets a cookie for fuu.example.com. I know that it is possible that example.com set a cookie for .example.com also for all subdomains for example.com but that's not what I want.
How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
否。
此外,(请参阅下面的更新)cookie 将被拒绝:fuu.example.com是无效的 Domain 值(它必须以.开头,即.fuu.example.com)请求主机为
example.com,Domain 属性值为foo.example.com。但请求主机example.com不具有 HD 格式,其中 D 为foo.example.com。因此 cookie 被拒绝。更新 当前规范RFC 6265(上面引用的已废弃的 RFC 2109)确实忽略了前导点。但有效域的处理方式相同:
No.
Besides that(see update below) the cookie would get rejected:fuu.example.comis an invalid Domain value (it must start with a., i.e..fuu.example.com)The request-host is
example.comand the Domain attribute value isfoo.example.com. But the request-hostexample.comdoes not has the form HD where D would befoo.example.com. Thus the cookie gets rejected.Update The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:
仅当在 Set-Cookie 标头中显式指定域时,
example.com和foo.example.com2 个域才能共享 Cookie。否则,cookie 的范围仅限于请求主机。例如,如果您从
foo.example.com发送以下标头:则不会向
example.com发送请求的 Cookie。但是,如果您使用以下内容,它将在两个域上都可用:在 RFC 2109 中,没有前导点的域意味着它不能在子域上使用,并且只有一个前导点(
.example.com) 将允许它跨子域使用。然而,现代浏览器尊重较新的规范 RFC 6265,并且会忽略任何前导点,这意味着您可以在子域以及顶级域上使用 cookie。
总而言之,如果您从
example.com设置像上面第二个示例一样的 Cookie,则foo.example.com可以访问它,反之亦然。有关更多详细信息:https://stackoverflow.com/a/23086139/5466401
The 2 domains
example.comandfoo.example.comcan only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host.For instance, if you sent the following header from
foo.example.com:Then the cookie won't be sent for requests to
example.com. However if you use the following, it will be usable on both domains:In RFC 2109, a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (
.example.com) would allow it to be used across subdomains.However, modern browsers respect the newer specification RFC 6265, and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.
In summary, if you set a cookie like the second example above from
example.com, it would be accessible byfoo.example.com, and vice versa.For more details : https://stackoverflow.com/a/23086139/5466401
实际上,有一种简单且完全跨浏览器的支持方式可以在原始域和子域之间共享 cookie,但您应该在设置时间共享它,以便在浏览器中轻松使用 cookie 内容,我正在使用
js-cookie并使用以下设置 cookie,它可以在原始域和所有域之间共享其子域:提示:添加此
.将与所有子子域共享 cookie。Actually, there is a simple and fully cross-browser support way for sharing cookies between original domain and subdomains but you should share it in setting time, for comfortable working with cookie stuffs in browser I'm using
js-cookieand with the below setting cookie it could be shared between original domain and all of its subdomains:Hint: Adding this
.will share cookie with all sub-subdomain.