Django 会话 cookie:来自(任何)其他域，检查用户是否登录 [英] Django session cookie: from (any) other domain, check if user is logged in

问题描述

我有一个域 domain1.com.用户登录并设置 cookie.这是使用 Django 会话完成的.

I have a domain domain1.com. The user logs in and a cookie is set. This is done using Django sessions.

然后我转到另一个域 domain2.com.该域运行 javascript.从这个 javascript，我想看看用户是否登录到 domain1.com.

I then go to another domain domain2.com. This domain runs javascript. From this javascript, I want to see if the user is logged into domain1.com.

这可能吗?我可以从域 2 中看到属于域 1 的 cookie 吗?或者我可以通过ajax以某种方式调用domain1来检查用户是否登录?

Is this possible? Can I see a cookie belonging to domain1 from domain2? Or can I somehow via ajax make a call domain1 to check if the user is logged in?

此外，用户最初可能是从 Chrome 登录到 domain1，但现在他们正在从另一个浏览器访问 domain2.Cookie 不是特定于浏览器的吗?

Also, the user might originally have logged into domain1 from Chrome, but now they are accessing domain2 from another browser. Aren't cookies browser specific?

我想要解决的真正问题是什么?(下面重新评论):我创建了一个 Chrome 扩展程序.当用户按下 domain2 中的扩展图标时，会运行一个 javascript，它会从页面收集信息.此信息需要发送到域 1 上的用户帐户.请注意，domain2 可以是任何域，而不是我创建的域.

The real problem I am trying to solve? (re comment below): I have created a Chrome extension. When the user presses the extension icon from domain2, a javascript is run, which collects information from the page. This information needs to be sent to the user's account on domain1. Note that domain2 can be ANY domain, not one that I have created.

我尝试过的 AJAX 和 cookie.

What I tried with AJAX and cookies.

从域 1 设置 cookie:

set cookie from domain1:

response.set_cookie("user_cookie", value="somevalue", max_age=60*60, expires=None, path='/', domain=None, secure=None, httponly=False)

创建 Python 函数，从 domain1.com/checklogin 执行:

Create Python function, which is executed from domain1.com/checklogin:

@csrf_exempt
def is_logged_in(request):
    cookie = request.COOKIES.get('user_cookie') 
    if cookie is not None:
        return HttpResponse("1")
    else:
        return HttpResponse("0") 

转到 domain1.com/checklogin -> 响应为1"

Go to domain1.com/checklogin -> The response is "1"

从 domain2 调用 javascript 如下:

Call javascript from domain2 as follows:

var xmlHttp_1=new XMLHttpRequest();
xmlHttp_1.open("POST","http://domain1.com/checklogin/",false);
xmlHttp_1.send();
alert(xmlHttp_1.responseText);

这里的响应错误地为 0.它没有看到由 domain1 创建的 cookie.

The response here is, incorrectly, 0. It does not see the cookie created by domain1.

请注意，此时 domain1 是 localhost，而 domain2 是真正的域.这可能是问题吗?它确实正确调用了该函数.

Note that domain1 is, at this point, localhost and domain2 is a real domain. Could this be the issue? It does properly call the function.

推荐答案

这可能吗?我可以看到属于 domain1 的 cookie 吗?domain2?

Is this possible? Can I see a cookie belonging to domain1 from domain2?

没有.Cookie 仅限于域(及其子域)..foo.com 的 cookie 可以被 www.foo.com、zoo.foo.com 访问，但不能被 bar.com 访问.

No. Cookies are restricted to domains (and their subdomains). A cookie for .foo.com is accessible to www.foo.com, zoo.foo.com but not bar.com.

或者我可以通过ajax以某种方式调用domain1来检查用户是否是登录了吗?

Or can I somehow via ajax make a call domain1 to check if the user is logged in?

这是一种方法，是的，它会起作用.

This is one way, yes and it will work.

此外，用户最初可能是从 Chrome 登录到 domain1，但现在他们正在从另一个浏览器访问 domain2.不是特定于浏览器的 cookie?

Also, the user might originally have logged into domain1 from Chrome, but now they are accessing domain2 from another browser. Aren't cookies browser specific?

是的，他们是.如果您已登录 Chrome，然后打开 Safari，您将不会登录.

Yes, they are. If you are logged into Chrome, and you open Safari, you won't be logged in.

这篇关于Django 会话 cookie:来自(任何)其他域，检查用户是否登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！