您最喜欢的跨域 cookie 共享方法是什么? [英] What's your favorite cross domain cookie sharing approach?
问题描述
我认为 iframe/p3p 技巧是最流行的技巧,但我个人不喜欢它,因为 javascript + 隐藏字段 + 框架真的让它看起来像一个黑客工作.我还遇到过使用 Web 服务进行通信的主从方法(http://www.15seconds.com/issue/971108.htm),它看起来更好,因为它对用户透明,并且对不同的浏览器很健壮.
I see iframe/p3p trick is the most popular one around, but I personally don't like it because javascript + hidden fields + frame really make it look like a hack job. I've also come across a master-slave approach using web service to communicate (http://www.15seconds.com/issue/971108.htm) and it seems better because it's transparent to the user and it's robust against different browsers.
有没有更好的方法,每种方法的优缺点是什么?
Is there any better approaches, and what are the pros and cons of each?
推荐答案
我的方法将一个域指定为中心"域,将其他任何域指定为卫星"域.
My approach designates one domain as the 'central' domain and any others as 'satellite' domains.
当有人点击登录"链接(或呈现持久登录 cookie)时,登录表单最终会将其数据发送到位于中央域的 URL,以及一个隐藏的表单元素,说明它来自哪个域from(只是为了方便,所以用户之后会被重定向回来).
When someone clicks a 'sign in' link (or presents a persistent login cookie), the sign in form ultimately sends its data to a URL that is on the central domain, along with a hidden form element saying which domain it came from (just for convenience, so the user is redirected back afterwards).
中心域的这个页面然后继续设置会话 cookie(如果登录成功)并重定向回用户登录的任何域,在 URL 中使用一个专门生成的令牌,该令牌对于该会话是唯一的.
This page at the central domain then proceeds to set a session cookie (if the login went well) and redirect back to whatever domain the user logged in from, with a specially generated token in the URL which is unique for that session.
卫星 URL 上的页面然后检查该令牌以查看它是否与为会话生成的令牌相对应,如果是,它会在没有令牌的情况下重定向到自身,并设置本地 cookie.现在该卫星域也有一个会话 cookie.此重定向会从 URL 中清除令牌,因此用户或任何爬网程序不太可能记录包含该令牌的 URL(尽管如果他们这样做了,这应该无关紧要,令牌可以是一次性令牌).
The page at the satellite URL then checks that token to see if it does correspond to a token that was generated for a session, and if so, it redirects to itself without the token, and sets a local cookie. Now that satellite domain has a session cookie as well. This redirect clears the token from the URL, so that it is unlikely that the user or any crawler will record the URL containing that token (although if they did, it shouldn't matter, the token can be a single-use token).
现在,用户在中央域和卫星域都有一个会话 cookie.但是如果他们访问另一颗卫星呢?好吧,通常情况下,它们在卫星看来是未经验证的.
Now, the user has a session cookie at both the central domain and the satellite domain. But what if they visit another satellite? Well, normally, they would appear to the satellite as unauthenticated.
但是,在我的整个应用程序中,只要用户处于有效会话中,指向其他卫星域上的页面的所有链接都会附加一个 ?s 或 &s.我保留这个's'查询字符串的意思是检查中央服务器,因为我们认为这个用户有一个会话".也就是说,任何 HTML 页面上都不会显示令牌或会话 ID,只有无法识别某人的字母s".
However, throughout my application, whenever a user is in a valid session, all links to pages on the other satellite domains have a ?s or &s appended to them. I reserve this 's' query string to mean "check with the central server because we reckon this user has a session". That is, no token or session id is shown on any HTML page, only the letter 's' which cannot identify someone.
如果还没有有效的会话,接收这样一个s"查询标记的 URL 将重定向到中央域,并说你能告诉我这是谁吗?";通过在查询字符串中放入一些东西.
A URL receiving such an 's' query tag will, if there is no valid session yet, do a redirect to the central domain saying "can you tell me who this is?" by putting something in the query string.
当用户到达中央服务器时,如果他们在那里通过身份验证,中央服务器将简单地接收他们的会话 cookie.然后它会将用户与另一个一次性使用令牌一起发送回卫星,卫星将在登录后将其视为卫星(见上文).即,卫星现在将在该域上设置会话 cookie,并重定向到自身以从查询字符串中删除令牌.
When the user arrives at the central server, if they are authenticated there the central server will simply receive their session cookie. It will then send the user back to the satellite with another single use token, which the satellite will treat just as a satellite would after logging in (see above). Ie, the satellite will now set up a session cookie on that domain, and redirect to itself to remove the token from the query string.
我的解决方案无需脚本或 iframe 支持即可工作.它确实需要将?s"添加到用户可能尚未在该 URL 上拥有 cookie 的任何跨域 URL.我确实想过一种方法来解决这个问题:当用户第一次登录时,围绕每个域设置一个重定向链,在每个域上设置一个会话 cookie.我没有实现这一点的唯一原因是它会很复杂,因为您需要能够设定这些重定向发生的顺序以及何时停止,并且会阻止您扩展到超过 15 个域左右(太多了,您会危险地接近许多浏览器和代理的重定向限制").
My solution works without script, or iframe support. It does require '?s' to be added to any cross-domain URLs where the user may not yet have a cookie at that URL. I did think of a way of getting around this: when the user first logs in, set up a chain of redirects around every single domain, setting a session cookie at each one. The only reason I haven't implemented this is that it would be complicated in that you would need to be able to have a set order that these redirects would happen in and when to stop, and would prevent you from expanding beyond 15 domains or so (too many more and you become dangerously close to the 'redirect limit' of many browsers and proxies).
后续注意:这是 11 年前写的,当时网络非常不同 - 例如,XMLhttprequest 不被视为您可以依赖的东西,更不用说跨域了.
这篇关于您最喜欢的跨域 cookie 共享方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
