域为子域设置 cookie [英] Domain set cookie for subdomain

问题描述

我查阅了许多有关 cookie 的问题，但没有找到有关我的问题的答案.我有以下场景:

I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:

用户在 example.com 上创建了一个登录名，并应该获得一个 cookie，但仅限于子域 fuu.example.com.我生成以下 HTTP 标头部分:

A user creates a login on example.com and should get a cookie but only for the subdomain fuu.example.com. I generate following HTTP header part:

Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly 

但是当我向https://fuu.example.com, cookie 不会被添加到请求中.我想知道 example.com 是否有可能为 fuu.example.com 设置 cookie.我知道 example.com 有可能为 .example.com 也为 example.com 的所有子域设置一个 cookie，但这不是我想要的是.

But when I make a request to https://fuu.example.com, the cookie will be not added to the request. I wonder if it is possible that example.com sets a cookie for fuu.example.com. I know that it is possible that example.com set a cookie for .example.com also for all subdomains for example.com but that's not what I want.

如何为子域设置 cookie?我没有在对子域的请求中看到 cookie.

How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.

推荐答案

没有.此外，fuu.example.com 是一个无效的Domain 值(它必须以. 开头，即.fuu.example.com)(见下面的更新)cookie 会被拒绝:

No. Besides that fuu.example.com is an invalid Domain value (it must start with a ., i.e. .fuu.example.com) (see update below) the cookie would get rejected:

为了防止可能的安全或隐私侵犯，如果以下任何一种情况为真，用户代理将拒绝 cookie(不得存储其信息):

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

• 请求主机是一个完全限定的域名(不是 IP 地址)，格式为 HD，其中 D 是域的值 属性，H 是包含一个或多个点的字符串.

• The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

请求主机为 example.com，Domain 属性值为 foo.example.com.但是请求主机 example.com 没有 HD 的形式，其中 D 将是 foo.example.com.因此 cookie 被拒绝.

The request-host is example.com and the Domain attribute value is foo.example.com. But the request-host example.com does not has the form HD where D would be foo.example.com. Thus the cookie gets rejected.

更新 当前规范 RFC 6265，即上面引用的过时的 RFC 2109 确实忽略了前导点.但有效域的处理方式相同:

Update    The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:

[…] 如果 Domain 属性的值为example.com"，用户代理会在 Cookie 中包含 cookie向 example.com、www.example.com 和www.corp.example.com.(注意前导 %x2E(.")，如果存在，即使不允许该字符也被忽略，但是尾随 %x2E(.")，如果存在，将导致用户代理忽略属性.)

[…] if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

[…] 用户代理将接受带有example.com"的域属性或foo.example.com"从foo.example.com，但用户代理不会接受带有bar.example.com"的域属性或baz.foo.example.com".

[…] the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".

这篇关于域为子域设置 cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！