重定向和会话数据在登录后传输到另一个服务器/域 [英] Redirection and session data transfer to another server/domain after login

问题描述

经过一段时间的搜索和阅读文档，我决定问你们。

After some time of searching and reading docs I've decided to ask you guys.

所以，场景是简单：

用户转到 https://Domain1.com ，输入其凭据，尝试登录。

User goes to https://Domain1.com, enters his credentials, tries to login.

成功登录后，根据DB中的用户类型和其他信息，
Domain1服务器应将用户重定向到另一个CF服务器 https://Domain2.com 。

After successful login, based on user type and other info from DB, Domain1 server should redirect user to another CF server at https://Domain2.com.

到目前为止，没有问题，使用HTTP 301和cfheader / cflocation我将用户重定向到第二台机器，但他必须重复登录过程，这是我们的管理不能接受的。

So far, no problem, using HTTP 301 and cfheader/cflocation I'm redirecting user to second machine, BUT he has to repeatlogin procedure which is unacceptable by our management.

有没有什么好的和安全的做法，用于

Is there any good and secure practice which is used to "transfer" client together with session data to another machine or at least automatically log him in with same credentials?

如何做到这一点？

推荐答案

有很多方法可以处理这个。这里有一些可能的选项。

There are probably many ways you could handle this. Here are some possible options.

1. 企业的处理方式是使用某种单一的签名， （SSO）实现，像Shibboleth，来处理它。

1. The "enterprise" way of handling this would be to use some sort of a single sign-on(SSO) implementation, like Shibboleth, to handle it. This is complicated, but very effective and secure.

在重定向用户之前，您可以生成一个存储在某处（服务器范围，数据库）的令牌，用户已登录。然后当您重定向该用户时，发送该令牌（http://domain2.com/HGF394JFJk58fjJ）。当第二个服务器收到请求时，如果它看到一个令牌存在，它可以发送远程请求（cfhttp）回到第一个服务器，以找出是否是一个有效的令牌。如果是，只需将用户登录到第二个站点。当然，你必须做一些事情，以确保令牌不能被重用/重放。

Before you redirect the user you could generate a token that you store somewhere (server scope, DB) that indicates that the user is logged on. Then when you redirect that user, send that token along (http://domain2.com/HGF394JFJk58fjJ). When the second server receives the request if it sees that a token is present it can send a remote request (cfhttp) back to the first server to findout if that is a valid token. If it is, simply log the user into the second site. Of course you would have to do things to make sure that a token could not be reused/replayed.

用户登录站点1后，您可以向站点2发送远程请求（cfhttp），以将用户登录。然后显示一个页面网站1）从站点2加载iframe设置站点2的会话cookie。这不是那么干净，并要求您在重定向到站点2之前显示至少一个页面从站点1.我真的不喜欢这个选项并怀疑它会容易出错和脆弱。

After the user logs into site 1 you could send a remote request (cfhttp) to site 2 to log the user in. Then on display a page (from site 1) that has an iframe loaded from site 2 to set the session cookies for site 2. This is not as clean and would require you to display at least one page from site 1 before redirecting to site 2. I really don't like this option and suspect it would be error prone and fragile.

像我说的，可能还有其他选择。有些甚至可能更好（但我怀疑比选项1更好）。如果你有可用的资源，我会选择选项1。

Like I said, there are probably other options. Some might even be better (though I doubt better than option 1). I would choose option 1 if you have the resources available to do it.

这篇关于重定向和会话数据在登录后传输到另一个服务器/域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！