在多个域上自动进行Cookie单一登录-例如Google [英] Automatic cookie single sign on on multiple domains - like google
问题描述
我不了解Google如何实现以下单点登录机制:
I don't understand how google achieve the following mechanism of single sign on:
- 例如,我以gmail登录(我想
- 我打开一个新标签页,然后直接键入 youtube的网址
- 然后我输入登录的youtube。
第二个站点如何检测到我已经登录。
它们是不同的域。 Youtube无法读取Gmail的Cookie。
How can this second site detect that I've already been logged in. They are different domains. Youtube can't read the cookie of Gmail.
我已经阅读过的有关单一登录的所有解决方案都不允许这样做。客户端总是向中央登录应用程序请求权限。
在我的示例中,YouTube不知道我是登录Gmail的同一用户(实际上它知道,但我不知道如何)
All the solutions I've read about Single sign on don't allow this. The client always ask permission to a central login app. In my example YouTube doesn't know I am the same user logged in Gmail (actually it does know, but I don't understand how)
注意我手动输入 youtube的网址。我不喜欢gmail上方工具栏上的youtube图标(在这种情况下,例如gmail可能会通过url传递一些身份验证参数)。
Note that I type the url of "youtube" by hand. I don't clic the youtube icon from the upper toolbar of gmail (In that case gmail may pass some auth params through the url for example).
推荐答案
cookie是在特定域上设置的。例如:
The cookies are set on specific domains. Ex:
setcookie(name,value,expire,path,domain)
当您登录gmail时,在 mail.google.com之前,您已被重定向到 accounts.google.com,然后又被重定向到邮件。 google.com,因此cookie也在 accounts.google.com上。
When you log in on gmail, before "mail.google.com", you have been redirected to "accounts.google.com" then to "mail.google.com" so the cookies are on "accounts.google.com" too.
在这种情况下,域为 accounts.google.com,路径为是 /(本地路径)。
In this case, the domain is "accounts.google.com" and the path is "/" (the home path).
当您请求 www.youtube.com时,您点击连接后,它会请求
帐户.google.com,这样您就看不到此重定向,并检查 accounts.google.com上是否有cookie。如果是这样,它将检查Cookie是否有效且未过期,或者用户未被禁止...然后它将您重定向到 www.youtube.com/signin?loginthisSession=Sessionid。此请求包含从 accounts.google.com的cookie中捕获的sessionid cookie的值。
When you request "www.youtube.com" then you click on "connection" it requests "accounts.google.com" fast so you can't see this redirection and checks if you have cookies on "accounts.google.com". If so, it checks if the cookies are valid and not expired, or user not banned... Then it redirects you to "www.youtube.com/signin?loginthisSession=Sessionid". This request contains the value of the of sessionid cookie catched from the cookies of "accounts.google.com".
最后一步, www.youtube.com记录您并在域名 www.youtube.com上设置其自己的cookie并将其保存。
In the last step, "www.youtube.com" logs you and set its own cookie on the domain "www.youtube.com" and saves them.
因此,诀窍在于302 HTTP重定向。
So the trick is on the 302 HTTP redirect.
这篇关于在多个域上自动进行Cookie单一登录-例如Google的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
