跨域PHP会话 [英] Cross domain PHP Sessions

问题描述

我正在建立一个网站，允许用户将CNAME记录指向我的网站以运行其个人资料，这样您的OWN域名就可以在我的网站上加载您的个人资料。

I am building a site which allows a user to point a CNAME record at my site to run their "profiles", this allows your OWN domain name to load your profile on my site.

这提高了与会话相关的各种问题。我看到了virb做到了。我没有看到任何信息是基于会话的iFrame ...但在页面上有一个iFrame。

This is raising all sorts of issues related to sessions. I have seen virb do it. I don't see any of the information that is session based in an iFrame... but there IS an iFrame present on the page.

我可以得到域的东西工作，我只是失去会话数据...任何想法？

I can get the domain stuff to work, I just lose session data... Any ideas?

（这里是一个例子 - 链接到Virb - http://www.agentspider.com/ ）

(Here is an example --Links to Virb-- http://www.agentspider.com/ )

推荐答案

默认情况下，您不能跨Cookie设置Cookie。我相信，你可以设置一个P3P文件来启用它。 http://p3ptoolbox.org/guide/section4.shtml#IVd
我没有这样做，所以我不知道有多少浏览器实现它，或者甚至工作这样。

You can't set cookies cross domain by default. I believe, you can set up a P3P file(s) to enable it. http://p3ptoolbox.org/guide/section4.shtml#IVd I haven't done this myself, so I don't know how much of the browsers implement it or if it even works that way.

Virb看起来像使用JavaScript。它有一个AJAX库，向virb服务器发出 JSON-P 请求if没有设置会话cookie。 （Firefox的第一次加载，你可以在Firebug中看到这个）JSON响应只是让页面知道用户是否登录，并更新页面中需要反映用户状态的部分。

Virb looks like it's just using JavaScript. It has an AJAX library, that makes a JSON-P request to the virb server if no session cookie is set. (first load of Firefox you can see this in Firebug) The JSON response just lets the page know if the user is logged in or not, and updates the portions of the page that need to reflect user status.

所以发生了什么是页面嵌入来自virb.com的一些JS。由于域是virb.com它设置为virb.com的cookie被发送到服务器。然后服务器将Cookie的结果响应到外部站点。

So what's happening is the page embeds some JS from virb.com. Since the domain is virb.com it cookies set to virb.com are sent to the server. The server then responds with the result of the cookie to the external site.

在virb的情况下，如果没有JS，它将无法正常工作，我认为这是一个很好的选择。但是，您可以对HTTP重定向执行相同操作。

In the case of virb, which won't work properly without JS, I think thats a good option. However, you could do the same with HTTP Redirects.

如果HTTP主机不是主网域（example.com）：

If the HTTP Host is not the main domain (example.com):

if (!$_COOKIE['sessionid'] && $_SERVER['HTTP_HOST'] != 'example.com') {
// redirect to your main site
header('Location: http://example.com');
}

在主网站上，设置Cookie，并将用户发送回外部域（domain.com）在位置中传递会话ID。

On the main site, set the cookie, and send the user back to the external domain (domain.com) passing the session id in the Location.

header('Location: http://domain.com.com?sessid='.urlencode($_COOKIE['sessionid']));

最后一点是重定向回到你现在的页面，你有相同的会话。

The final bit is to redirect back to the page you were on now that you have the same session going.

setCookie(...); // sessid in $_GET['sessid']
header('Location: http://domain.com/'); 

请注意，实际上您可以将您目前使用的网页发送回example.com第一步，所以你可以重定向回到它以后。

Note, in actuality you can send the page you're currently on back to example.com in the first step, so you can redirect back to it later.

既然你仅仅使用头文件（你并不需要输出的内容），并在大多数情况下HTTP / 1.1，所以你可以在同一个TCP套接字我认为它是相当高效，将更多的支持，然后JavaScript选项。

Since you're just using headers (you don't need to output content) and in most cases HTTP/1.1 so you'll be on the same TCP socket I think it's pretty efficient and will be more supported then the JavaScript option.

编辑：当您返回外部网域时，不要忘记设置Cookie。

don't forget to set the cookie when you get back to external domain.

最后一步是可选的，但它保留了sessid不在URL中。这是更多的安全问题，然后保留在HTTP标头。

Last step is optional but it keeps the sessid from being in a URL. Which is more of a security issue then keeping it in HTTP headers.

这篇关于跨域PHP会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！