将 cookie 转换为 HTTPonly 后,IE 在从 iFrame 重定向后丢弃会话
是的,这应该很有趣。
我正在开发一个使用 Fusebox 5.5 构建并使用 iFrame 的网站。我最近的任务是将网站转换为 Application.cfc,并将用于网站上 google 索引的 cookie 设置为 HTTPonly,如下所述:http://www.petefreitag.com/item/764.cfm。该应用程序在 CF8 上运行。
我遇到的问题是用户登录网站后,会话数据在登录过程后设置,然后触发熔断器加载主页,其中包含“框架破坏者”功能以打破网站用于登录和加载主页的内部 iframe。当执行此操作时,IE 会删除会话,并且在加载页面的其余部分时,会进行另一项检查,发现会话丢失并强制重定向回主页。在 IE 中使用时,每个 javascript 重定向都会创建一个新会话。 Firefox 或 Chrome 中不会出现此问题。
这是框架破坏函数,在 body 标记中作为 onLoad 触发:
function changeParentLocation()
{
if (top != self) {
self.location.href = <cfoutput>"#Application.rootdir#"</cfoutput>;
top.location.replace(self.location.href);
}
}
这是 onSessionStart 函数:
<cffunction name='onSessionStart' access='public' returntype='void' output='false'>
<cfheader name="P3P" value="CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'" />
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=.my.sites.subdomain/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=.my.sites.subdomain/;HTTPOnly">
<!---<cfcookie name="CFTOKEN" domain=".my.sites.subdomain" value="#Session.CFTOKEN#" />
<cfcookie name="CFID" domain=".my.sites.subdomain" value="#Session.CFID#" />--->
</cffunction>
如果我注释掉 HTTPOnly cookies 并使用当前注释掉的 CFCookie 代码,IE 不会尝试创建多个会话。
Yeah, this ought to be fun.
I'm working on a site that was built in Fusebox 5.5 and uses an iFrame. I was recently tasked with converting the site to Application.cfc and setting cookies we're using for google indexing on the site to HTTPonly as described here: http://www.petefreitag.com/item/764.cfm. The application is running on CF8.
The problem I'm running into is after a user logs into the site, the session data is set after the login process then a fuse is triggered to load the home page which contains a 'frame-buster' function to break the site out of the inner iframe for login and load the main page. When this executes, IE drops the session and as the rest of the page loads, another check occurs that discovers the session is missing and forces a redirect back to the home page. Each javascript redirect is creating a new session when used in IE. This issue is not occuring in Firefox or Chrome.
This is the frame-buster function, triggered as an onLoad in the body tag:
function changeParentLocation()
{
if (top != self) {
self.location.href = <cfoutput>"#Application.rootdir#"</cfoutput>;
top.location.replace(self.location.href);
}
}
This is the onSessionStart function:
<cffunction name='onSessionStart' access='public' returntype='void' output='false'>
<cfheader name="P3P" value="CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'" />
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=.my.sites.subdomain/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=.my.sites.subdomain/;HTTPOnly">
<!---<cfcookie name="CFTOKEN" domain=".my.sites.subdomain" value="#Session.CFTOKEN#" />
<cfcookie name="CFID" domain=".my.sites.subdomain" value="#Session.CFID#" />--->
</cffunction>
If I comment out the HTTPOnly cookies and use the CFCookie code that's currently commented out instead, IE does not attempt to create multiple sessions.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您正确地将 Coldfusion 应用程序设置为将 setClientCookies 设置为 false,则不会发生这种情况。它实际上必须是布尔值 false,而不是否则会转换为 false 的文本值。换句话说:
有效。但是:
没有。
This does not occur if you properly set your coldfusion application up to have setClientCookies to be false. It must actually be a boolean false, and not a text value that would otherwise translate to false. In other words:
Works. But:
Does not.