跨域cookie - 也许是一个新的想法 [英] Cross-domain-cookies - a maybe new idea
问题描述
我的好友Carsten Lau提出了一个有关如何读取跨网域Cookie的有趣想法。
情况:您想从域A 在域B上设置。
Idea:从域A上的客户端,您对域B - f.e上的动态资源执行get-request。在服务器B上的图像或JavaScript实际上是能够读取诸如PHP,Java等的cookie的编程语言。通过该请求,您发送诸如会话ID的唯一标识符。因此,在客户端上查看域A上的站点的代码可以看起来像这样:
< img src = www.domainB.com/?getCookie.php?sessionID=1234\">
现在有趣的部分,服务器B读取服务器端设置的域B并将结果与所提供的session-id一起写入由域A访问的DB中,或者将包含cookie信息的响应返回到域A上的客户端,然后通过AJAX将其发送到服务器A。 / p>
我确定有一个缺陷,我们还没有找到。我个人认为服务器B将无法读取Cookie信息,因为客户端浏览器URL指向域A,但当然上面解释的getCookie请求指向B。
请告诉我们你的想法,为什么它工作或为什么它不能工作。
这是正常的,因为你可以控制2域。这是大多数网站如何实现跨域单点登录的方式。但是,如果你没有第二个域的控制,你不能从中读取Cookie。
My buddy Carsten Lau came along with an interesting idea on how to read cross-domain-cookies.
Situation: You want to read a cookie from domain "A" that was set on domain "B". Idea: From the client on domain "A", you execute a get-request to a dynamic resource on domain "B" – f.e. an image or javascript, which on the server "B" is in fact a programming language capable of reading cookies like PHP, Java etc. With that request, you send an unique identifier like a session id. So the code on the client which looks at a site on domain "A" could look like this:
<img src="www.domainB.com/?getCookie.php?sessionID=1234">
Now comes the funny part, server B reads on server-side the cookie set by domain "B" and writes the result with the provided session-id either in a DB accessible by domain "A" or returns a response which contains the cookie information to the client on domain "A" which then sends it via AJAX to server "A".
I am pretty sure there is a flaw we didn't find yet. I personally believe server "B" will not be able to read cookie informations because the client-browsers URL points to domain "A", but of course the "getCookie"-request explained above points to "B".
Please tell us what you think about it, why it works or why it can't work. A small proof of concept was, to my big surprise, successful.
This is normal, because you have control of the 2 domains. This is how most websites achieve cross domain single-sign-on by the way. But if you do not have control of the second domain you cannot read cookies from it.
这篇关于跨域cookie - 也许是一个新的想法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
