跨域 PHP 会话 [英] Cross domain PHP Sessions
问题描述
我正在构建一个站点,它允许用户在我的站点上指向 CNAME 记录以运行他们的配置文件",这允许您自己的域名在我的站点上加载您的配置文件.
I am building a site which allows a user to point a CNAME record at my site to run their "profiles", this allows your OWN domain name to load your profile on my site.
这引发了与会话相关的各种问题.我已经看到 virb 这样做了.我在 iFrame 中没有看到任何基于会话的信息……但是页面上有一个 iFrame.
This is raising all sorts of issues related to sessions. I have seen virb do it. I don't see any of the information that is session based in an iFrame... but there IS an iFrame present on the page.
我可以让域的东西工作,我只是丢失了会话数据......有什么想法吗?
I can get the domain stuff to work, I just lose session data... Any ideas?
(这里是一个例子——链接到 Virb——http://www.agentspider.com/ )
(Here is an example --Links to Virb-- http://www.agentspider.com/ )
推荐答案
默认情况下,您不能跨域设置 cookie.我相信,您可以设置一个 P3P 文件来启用它.http://p3ptoolbox.org/guide/section4.shtml#IVd我自己没有这样做过,所以我不知道有多少浏览器实现了它,或者它是否可以那样工作.
You can't set cookies cross domain by default. I believe, you can set up a P3P file(s) to enable it. http://p3ptoolbox.org/guide/section4.shtml#IVd I haven't done this myself, so I don't know how much of the browsers implement it or if it even works that way.
Virb 看起来只是使用 JavaScript.它有一个 AJAX 库,如果没有,它会向 virb 服务器发出 JSON-P 请求会话 cookie 已设置.(第一次加载 Firefox,您可以在 Firebug 中看到这一点)JSON 响应只是让页面知道用户是否已登录,并更新需要反映用户状态的页面部分.
Virb looks like it's just using JavaScript. It has an AJAX library, that makes a JSON-P request to the virb server if no session cookie is set. (first load of Firefox you can see this in Firebug) The JSON response just lets the page know if the user is logged in or not, and updates the portions of the page that need to reflect user status.
所以发生的事情是页面嵌入了来自 virb.com 的一些 JS.由于域是 virb.com,因此将设置为 virb.com 的 cookie 发送到服务器.然后服务器将 cookie 的结果响应给外部站点.
So what's happening is the page embeds some JS from virb.com. Since the domain is virb.com it cookies set to virb.com are sent to the server. The server then responds with the result of the cookie to the external site.
对于virb,没有JS就不能正常工作,我认为这是一个不错的选择.但是,您可以对 HTTP 重定向执行相同的操作.
In the case of virb, which won't work properly without JS, I think thats a good option. However, you could do the same with HTTP Redirects.
如果 HTTP 主机不是主域(example.com):
If the HTTP Host is not the main domain (example.com):
if (!$_COOKIE['sessionid'] && $_SERVER['HTTP_HOST'] != 'example.com') {
// redirect to your main site
header('Location: http://example.com');
}
在主站点上,设置 cookie,然后将用户发送回外部域 (domain.com),并在 Location 中传递会话 ID.
On the main site, set the cookie, and send the user back to the external domain (domain.com) passing the session id in the Location.
header('Location: http://domain.com.com?sessid='.urlencode($_COOKIE['sessionid']));
最后一点是重定向回您现在所在的页面,因为您正在进行相同的会话.
The final bit is to redirect back to the page you were on now that you have the same session going.
setCookie(...); // sessid in $_GET['sessid']
header('Location: http://domain.com/');
请注意,实际上,您可以在第一步中将当前所在的页面发送回 example.com,以便稍后重定向回该页面.
Note, in actuality you can send the page you're currently on back to example.com in the first step, so you can redirect back to it later.
由于您只使用标头(您不需要输出内容)并且在大多数情况下使用 HTTP/1.1,因此您将使用同一个 TCP 套接字,我认为它非常有效,并且会比 JavaScript 得到更多支持选项.
Since you're just using headers (you don't need to output content) and in most cases HTTP/1.1 so you'll be on the same TCP socket I think it's pretty efficient and will be more supported then the JavaScript option.
回到外部域时不要忘记设置cookie.
don't forget to set the cookie when you get back to external domain.
最后一步是可选的,但它可以防止 sessid 出现在 URL 中.这更像是一个安全问题,然后将其保存在 HTTP 标头中.
Last step is optional but it keeps the sessid from being in a URL. Which is more of a security issue then keeping it in HTTP headers.
这篇关于跨域 PHP 会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
