域设置子域的Cookie [英] Domain set cookie for subdomain
问题描述
我在许多关于cookie的问题,但我没有找到我的问题的答案。我有以下情况:
用户在 example.com 上创建登录信息,应该获取一个Cookie,但只能为子域名.example.com 。我生成以下HTTP头部分:
Set-Cookie:name = TestUser; Domain = fuu.example.com; Path = /;安全; HttpOnly
但是当我向 https://fuu.example.com ,则Cookie不会添加到请求中。我不知道 example.com 是否可能为 fuu.example.com 设置Cookie。我知道 example.com 也可以为 example.com 的所有子域设置 .example.com / em>但这不是我想要的。
如何设定子网域的Cookie?我在子网域的请求中看不到Cookie。
否。 除了(请参阅下面的更新) Cookie将被拒绝: fuu.example.com 是无效的域值(必须以开头。 code>,即 .fuu.example.com )
为了防止可能的安全或隐私违反,如果以下任一情况为真,用户代理拒绝cookie(不应存储其信息):
- 请求主机完整资格域名(而不是IP地址)并具有 HD 格式,其中 是属性的值, H 是一个包含一个或多个点的字符串。
< -host是 example.com ,并且域属性值是 foo.example.com 。但请求主机 example.com 不具有 HD 的格式,其中 将是 foo.example.com 。
[...]如果Domain属性的值是
example.com时,用户代理会在向 example.com ,www 发出HTTP请求时,在Cookie
标头中包含Cookie .example.com 和
www.corp.example.com 。 (请注意,如果存在前导%x2E(。),则
将被忽略,即使该字符不允许,但
尾随%x2E(。),如果存在,将导致用户代理忽略
属性。)
$ b $用户代理将接受具有
域属性example.com或的cookie, foo.example.com从
foo.example.com ,但用户代理不会接受具有
的属性为bar.example.com或baz.foo.example.com。
I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:
A user creates a login on example.com and should get a cookie but only for the subdomain fuu.example.com. I generate following HTTP header part:
Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly
But when I make a request to https://fuu.example.com, the cookie will be not added to the request. I wonder if it is possible that example.com sets a cookie for fuu.example.com. I know that it is possible that example.com set a cookie for .example.com also for all subdomains for example.com but that's not what I want.
How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.
No. Besides that (see update below) the cookie would get rejected:fuu.example.com is an invalid Domain value (it must start with a ., i.e. .fuu.example.com)
To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:
- The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
The request-host is example.com and the Domain attribute value is foo.example.com. But the request-host example.com does not has the form HD where D would be foo.example.com. Thus the cookie gets rejected.
Update The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:
[…] if the value of the Domain attribute is "
example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)[…] the user agent will accept a cookie with a Domain attribute of "
example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".
这篇关于域设置子域的Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
