使用JSONP和Cookie的跨网域登录 [英] Cross-domain login using JSONP and cookies

查看:184
本文介绍了使用JSONP和Cookie的跨网域登录的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

如何允许用户登录一个域并自动登录到我的其他域,而无需在每个域上提交表单?

解决方案

我们都知道Cookie无法跨域访问,因为这会带来安全风险。然而,使用一些骗局,有办法解决这个问题。基本上,我们在中央域上为用户设置cookie,使用脚本检查该cookie的存在,然后使用JSON-P回调将该cookie复制到其他域。详细信息:



登录



第1步 b
$ b

< form> 显示在 mydomain.com c $ c> myotherdomain.com 等)应POST到 central.com/login



第2步



central.com/login 密码,并且在包含该用户的唯一值的 central.com 域上设置一个cookie。然后将用户重定向回 mydomain.com 

  SELECT unique_value FROM users WHERE username = $ username 
在central.com上设置包含unique_value的cookie cookie

第3步



回到 mydomain.com ,我们嵌入了一个javascript调用 central.com/check 

 < script type =text / javascriptsrc = http://central.com/check\"> ;</script>

第4步



central.com/check ,我们检查是否为用户设置了唯一的Cookie。然后我们嵌入一个通知用户已登录的 mydomain.com 的JavaScript回调(JSON-P)。不包括敏感的用户数据,否则 hacker.com 可以嵌入此脚本并获取用户的信息。 (设置适当的Access-Control头只允许已验证的域可以减轻这种风险)。相反,我们基于时间戳创建一次性哈希,因此 mydomain.com 如果central.com上的cookie有效,则认证

  
 user_data = array(
'success' => true,
'uid'=> $ uid,
'time'=> time_stamp,
'hash'=> disposable_salted_hash($ uid,time_stamp)

 echo'setDomainCookie('。json_encode(user_data)。')'

strong>步骤5



然后执行回调函数,将Cookie设置为 mydomain.com 。最后,我们可以刷新页面,也可以使用他们登录的JavaScript提醒用户(最好是两者)。

  setDomainCookie(user_data){
 if(user_data.success){
 $ .post('/ setcookie',user_data,function(){
 location.reload(true); 
 } 
} 
}

mydomain.com/ setcookie 第2步类似,当然这假设两个网站都可以访问同一个数据库(和代码)

  if hash = disposable_salted_hash($ uid,time_stamp)
 SELECT unique_value FROM users WHERE uid = $ uid 
在包含unique_value的mydomain.com上设置cookie 
  
 
 
 
 步骤6  
 
 
 
下次用户刷新页面时,如果mydomain.com上的cookie有效,我们可以绕过JSON-P回调
  $ b loggedin = true 
 else 
删除mydomain.com上的cookie 
继续执行步骤3 
  
 
 
 
退出
 
 
 
 步骤7  
 
 
 
  mydomain.com 应转到 central.com/logout  
 
 
 
 第8步 
 
 
 
 central.com/logout  Cookie被删除,但该用户的唯一值被重置。用户被重定向回 mydomain.com  
  .com 
 UPDATE users SET unique_value = new_random_value()WHERE username = $ username 
  
 步骤9  
 
 
 
由于重置了唯一值,因此上面的步骤6 失败, code> mydomain.com ,并且用户被有效注销。
 
 
 
注意
 
 
 
     
     
  1.  
    至关重要的是步骤4  central.com/check  
     
    2.  
     
  2.  
    用户登录时执行步骤3-5可能会导致轻微的延迟。非常明智的做法是刷新显示他们已登录的某种JavaScript警报。对于第3步的脚本,也必须尽可能靠近
     
    3.  
     
  3.  
    第5步中,您可以选择在每个域上存储唯一的Cookie值。
     / li> 
     
  4.  
    单独的 central.com 域不是真的必要;你可以
    只是使用其他域中的一个作为中心域如果你愿意。 
    该域的逻辑显然会有所不同。
     
    5.  
     
  5.  
    要在Internet Explorer上工作,您需要一个P3P策略
    您的Cookie。
     
    6.  
     
  6.  
    正如IvanGusev在评论中指出的,这种方法的一个缺陷是,如果用户注销设备A, 
     
    7.  
     
  7.  
    希望这对人们有帮助。我很有兴趣收到
    的反馈,特别是如果这个
    方法有任何安全缺陷。我认为最糟糕的一个黑客可以做的是复制步骤3-5,并登录到 mydomain.com 没有你知道,但这将是无害的。
     / li> 
     
 
How can I allow users to log into one domain and automatically be logged into my other domains without them having to submit a form on each domain?
 解决方案 
We all know that cookies are not accessible cross-domain as this presents a security risk. However, using some trickery, there are ways around this. Basically we are setting a cookie for the user on a central domain, checking for that cookie's existence using a script, then using a JSON-P callback to copy that cookie onto the other domains. In more detail:



Logging In



Step 1



The <form> displayed on mydomain.com (or myotherdomain.com, etc) should POST to central.com/login



Step 2



On central.com/login, the username and password are verified and a cookie is set on the central.com domain containing a unique value for that user. The user is then redirected back to mydomain.com
SELECT unique_value FROM users WHERE username = $username
set cookie on central.com containing unique_value

Step 3



Back on mydomain.com we embed a javascript call to central.com/check.
<script type="text/javascript" src="http://central.com/check"></script>

Step 4



On central.com/check we check if the unique cookie is set for the user. Then we embed a JavaScript callback (JSON-P) that informs mydomain.com that the user is logged in. No sensitive user data is included, otherwise hacker.com could embed this script and get the user's information. (Setting appropriate Access-Control headers to only allow verified domains can alleviate this risk.) Instead, we create a disposable hash based on the timestamp, so that mydomain.com can verify the authentication.
if cookie on central.com is valid
    user_data = array(
       'success' => true,
       'uid'     => $uid,
       'time'    => time_stamp,
       'hash'    => disposable_salted_hash( $uid, time_stamp )
    )
    echo 'setDomainCookie(' . json_encode(user_data) . ')'

Step 5



The callback function is then executed, setting the cookie on mydomain.com. Finally, we can either refresh the page or just alert the user using JavaScript that they are logged in (preferably both).
function setDomainCookie( user_data ) {
    if( user_data.success ) {
        $.post('/setcookie', user_data, function() {
            location.reload(true);
        }
    }
}

mydomain.com/setcookie is similar to Step 2. Of course this assumes both sites have access to the same database (and code)
if hash = disposable_salted_hash( $uid, time_stamp )
    SELECT unique_value FROM users WHERE uid = $uid
    set cookie on mydomain.com containing unique_value

Step 6



The next time the user refreshes the page, we can bypass the JSON-P callback
if cookie on mydomain.com is valid
    loggedin = true
else
    delete cookie on mydomain.com
    proceed to Step 3




Logging Out



Step 7



The link on mydomain.com should go to central.com/logout



Step 8



On central.com/logout, not only is the cookie deleted, but the unique value for that user is reset. The user is redirected back to mydomain.com
delete cookie on central.com
UPDATE users SET unique_value = new_random_value() WHERE username = $username

Step 9



Now that the unique value is reset, Step 6 from above fails, the cookie is also deleted from mydomain.com, and the user is effectively logged out.



Notes



    

  1. It is critical that central.com/check from Step 4 has the
correct headers set so that it is not cached.
    2. 

  2. Steps 3-5 when the user is logging in may cause a slight delay. It's wise to both refresh and show some kind of JavaScript alert that they are logged in. It's also important for the script from Step 3 to be as close to the top of the page as possible.
    3. 

  3. In Step 5, you can optionally store a unique cookie value on each domain.
    4. 

  4. The separate central.com domain is not really necessary; you can
just use one of the other domains as the central domain if you wish.
The logic for that domain would obviously be different.
    5. 

  5. For this to work on Internet Explorer you will need a P3P policy
attached to your cookies.
    6. 

  6. As IvanGusev points out in the comments, one flaw of this approach is that if the user logs out of device A, it will also log them out of every other device.
    7. 

  7. Hope this is helpful to people. I'd be very interested to receive
feedback, especially if there are any security flaws from this
method. I think the worst a hacker could do is replicate Steps 3-5 and log you in to mydomain.com without you knowing, but that would be harmless.
    8. 



                        
这篇关于使用JSONP和Cookie的跨网域登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
相关文章
跨浏览器开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆