跨多个域的用户身份验证 [英] User Authentication Across Multiple Domains

问题描述

对此发表了先前的问题，但有后续意见.我试图创建一种解决方法，以在昂贵的自定义域上使用SSL.我愿意忍受用户将 https://app.heroku.com 从 http://www.app.com 用于某些安全页面，并且需要使用猴子修补的SSL才能实现此目的.但是，现在此问题与确保我登录时已登录我的用户有关.据我了解，Cookie不是跨域的.有没有解决这个问题的方法?

Posted a previous question on this, but have a followup. I was trying to create a workaround to use SSL on the expensive custom domain. I'm willing to live with bumping a user to https://app.heroku.com from http://www.app.com for certain secure pages, and have monkey-patched SSL required to make this happen. However, now this issue is with making sure my User is logged in when I do so. As I understand, cookies aren't cross domain. Is there a way around this issue?

推荐答案

现在正在处理此问题-不，会话未通过，您可以对iframe进行一些黑客攻击，但随后会收到安全警告并非页面上的所有内容都受到保护...
如果您想保持跨域的安全，就不能传递任何内容.
我发现的唯一方法是在https页面的url + user_id中传递定制的authenticity_token(您可以只执行md5("#{user.id} The Secret"))，并检查在https页面上是否获得相同的结果...
不太复杂，但是有点丑...

Was dealing with this issue right now - no, session isn't passed, you can do some hacking with iframes etc, but then you'll get security warning that not everything on the page is secured...
You can't pass anything cross domain if you want to maintain it secured...
The only way I found is to pass custom made authenticity_token in the url + user_id of the https page (you can do just md5("#{user.id} The Secret")) and check if you get the same result on the https page...
Not too complicated to do, but a little ugly...

在我的情况下，这是一个付款页面，因此我并不在乎用户是否登录，因为如果有人对其进行了黑客入侵，他最终将为其他人付款:)

In my case it's a payment page, so I don't really care if the user logged in, because if someone hacks it - he will just end up paying for someone else :)

这篇关于跨多个域的用户身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！