了解 cookie 域与顶级域及其子域的关系 [英] Understanding cookie domain relationship with top level domain and its subdomains
问题描述
我有一个包含 2 个子域的域,如下所示:www.domain.com 和 secure.domain.com(使用 ssl).www 子域将运行 vbulletin(容易受到 xss 攻击),安全子域背后的网络服务很好,更安全,对攻击更敏感,因为那里涉及真钱.domain.com 是 301 重定向到 www.domain.com.现在我想在不影响安全子域的安全性的情况下对这两个服务进行单点登录.在我看来,有两种方法可以做到这一点:
I have a domain with 2 subdomains like this: www.domain.com and secure.domain.com (with ssl). www subdomain will be running vbulletin (prone to xss attacks) and the webservice behind secure subdomain is well, more secure as well as more sensitive to attacks since real money is involved there. domain.com is 301 redirecting to www.domain.com. Now I'd like to have a single sign-on to both of the services without compromising the security of the secure subdomain. It seems to me there are 2 ways of doing this:
使用OpenID并在认证成功后,分别将cookie域设置为子域,例如.www.domain.com和.secure.domain.com,这样secure.domain.com cookie就不会发送给攻击者如果 www.domain.com 遭到入侵
Using OpenID and after successful authentication, set cookie domain only to subdomains respectively, example .www.domain.com and .secure.domain.com so that secure.domain.com cookies will not be sent to the attacker in case of an intrusion in www.domain.com
仅允许用户从 secure.domain.com 登录并设置 2 个 cookie,1 个带有 .domain.com 用于无缝身份验证到 www.domain.com,另一个 cookie 用于 .secure.domain.com 以进行验证用户已通过安全子域进行身份验证.
Only enable users to log on from secure.domain.com and set 2 cookies, 1 with .domain.com for seamless authentication to www.domain.com and another cookie to .secure.domain.com to verify that the user has authenticated through secure subdomain.
我的理解是,当涉及跨单个域及其子域上的多个 web 应用程序的 sso 时,在顶级域(例如 domain.com)上运行任何应用程序都将存在潜在安全风险,因为顶级应用程序将始终发送子域设置的所有 cookie 以及子域将能够设置和接收顶级域的 cookie.
My understanding is that when it comes to sso across several webapps on a single domain and its subdomains, then running any app on top level domain such as domain.com would be a potential security risk because the app on top level will always be sent all the cookies set by subdomains as well as subdomains will be able to set and receive cookies of the top level domain.
问题是:我的假设是正确的还是遗漏了什么?
The question is this: Are my assumptions correct or did I miss something?
推荐答案
您可以将 cookie 设置为 secure 并且它只会通过 SSL 连接发送(无论客户端连接到哪个域).当然,更复杂的场景也是可能的.
You can set the cookie as secure and it will be sent only over SSL connections (no matter what domain the client connects to). Of course, more complicated scenarios are possible as well.
这篇关于了解 cookie 域与顶级域及其子域的关系的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
