域为子域设置 cookie [英] Domain set cookie for subdomain
问题描述
我查阅了许多有关 cookie 的问题,但没有找到有关我的问题的答案.我有以下场景:
I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:
用户在 example.com 上创建了一个登录名,并应该获得一个 cookie,但仅限于子域 fuu.example.com.我生成以下 HTTP 标头部分:
A user creates a login on example.com and should get a cookie but only for the subdomain fuu.example.com. I generate following HTTP header part:
Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly
但是当我向https://fuu.example.com, cookie 不会被添加到请求中.我想知道 example.com 是否有可能为 fuu.example.com
设置 cookie.我知道 example.com 有可能为 .example.com
也为 example.com 的所有子域设置一个 cookie,但这不是我想要的是.
But when I make a request to https://fuu.example.com, the cookie will be not added to the request. I wonder if it is possible that example.com sets a cookie for fuu.example.com
. I know that it is possible that example.com set a cookie for .example.com
also for all subdomains for example.com but that's not what I want.
如何为子域设置 cookie?我没有在对子域的请求中看到 cookie.
How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.
推荐答案
没有.此外,(见下面的更新)cookie 会被拒绝:fuu.example.com
是一个无效的Domain 值(它必须以.
开头,即.fuu.example.com
)
No. Besides that (see update below) the cookie would get rejected:fuu.example.com
is an invalid Domain value (it must start with a .
, i.e. .fuu.example.com
)
为了防止可能的安全或隐私侵犯,如果以下任何一种情况为真,用户代理将拒绝 cookie(不得存储其信息):
To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:
- 请求主机是一个完全限定的域名(不是 IP 地址),格式为 HD,其中 D 是域的值 属性,H 是包含一个或多个点的字符串.
- The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
请求主机为 example.com
,Domain 属性值为 foo.example.com
.但是请求主机 example.com
没有 HD 的形式,其中 D 将是 foo.example.com
.因此 cookie 被拒绝.
The request-host is example.com
and the Domain attribute value is foo.example.com
. But the request-host example.com
does not has the form HD where D would be foo.example.com
. Thus the cookie gets rejected.
更新 当前规范 RFC 6265,即上面引用的过时的 RFC 2109 确实忽略了前导点.但有效域的处理方式相同:
Update The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:
[…] 如果 Domain 属性的值为example.com
",用户代理会在 Cookie 中包含 cookie向 example.com、www.example.com 和www.corp.example.com.(注意前导 %x2E(.
"),如果存在,即使不允许该字符也被忽略,但是尾随 %x2E(.
"),如果存在,将导致用户代理忽略属性.)
[…] if the value of the Domain attribute is "
example.com
", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E (".
"), if present, is ignored even though that character is not permitted, but a trailing %x2E (".
"), if present, will cause the user agent to ignore the attribute.)
[…] 用户代理将接受带有example.com
"的域属性或foo.example.com
"从foo.example.com,但用户代理不会接受带有bar.example.com
"的域属性或baz.foo.example.com
".
[…] the user agent will accept a cookie with a
Domain attribute of "example.com
" or of "foo.example.com
" from
foo.example.com, but the user agent will not accept a cookie with a
Domain attribute of "bar.example.com
" or of "baz.foo.example.com
".
这篇关于域为子域设置 cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!