跨域 cookie - 一个可能的新想法 [英] Cross-domain-cookies - a maybe new idea
问题描述
我的好友 Carsten Lau 提出了一个关于如何读取跨域 cookie 的有趣想法.
My buddy Carsten Lau came along with an interesting idea on how to read cross-domain-cookies.
情况:您想从域A"中读取设置在域B"上的 cookie.想法:从域A"上的客户端,您对域B"上的动态资源执行 get-request – f.e.一个图像或 javascript,它在服务器B"上实际上是一种能够读取 cookie 的编程语言,如 PHP、Java 等.通过该请求,您发送一个唯一标识符,如会话 ID.因此,客户端上查看域A"上的站点的代码可能如下所示:
Situation: You want to read a cookie from domain "A" that was set on domain "B". Idea: From the client on domain "A", you execute a get-request to a dynamic resource on domain "B" – f.e. an image or javascript, which on the server "B" is in fact a programming language capable of reading cookies like PHP, Java etc. With that request, you send an unique identifier like a session id. So the code on the client which looks at a site on domain "A" could look like this:
<img src="www.domainB.com/?getCookie.php?sessionID=1234">
现在有趣的部分来了,服务器 B 在服务器端读取域B"设置的 cookie,并使用提供的会话 ID 将结果写入域A"可访问的数据库中或返回包含cookie 信息发送到域A"上的客户端,然后客户端通过 AJAX 将其发送到服务器A".
Now comes the funny part, server B reads on server-side the cookie set by domain "B" and writes the result with the provided session-id either in a DB accessible by domain "A" or returns a response which contains the cookie information to the client on domain "A" which then sends it via AJAX to server "A".
我很确定存在我们尚未发现的缺陷.我个人认为服务器B"将无法读取 cookie 信息,因为客户端浏览器 URL 指向域A",但当然上面解释的getCookie"请求指向B".
I am pretty sure there is a flaw we didn't find yet. I personally believe server "B" will not be able to read cookie informations because the client-browsers URL points to domain "A", but of course the "getCookie"-request explained above points to "B".
请告诉我们您对它的看法、为什么它有效或为什么它无效.令我惊讶的是,一个小小的概念证明取得了成功.
Please tell us what you think about it, why it works or why it can't work. A small proof of concept was, to my big surprise, successful.
推荐答案
这是正常的,因为您可以控制两个域.顺便说一下,大多数网站都是这样实现跨域单点登录的.但如果您无法控制第二个域,则无法从中读取 cookie.
This is normal, because you have control of the 2 domains. This is how most websites achieve cross domain single-sign-on by the way. But if you do not have control of the second domain you cannot read cookies from it.
这篇关于跨域 cookie - 一个可能的新想法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
