在多个域上自动 cookie 单点登录 - 如谷歌 [英] Automatic cookie single sign on on multiple domains - like google
问题描述
不明白google是怎么实现如下单点登录机制的:
- 例如我在 gmail 中登录(我想这会在我的授权下创建一个 cookie)
- 我打开一个新标签并直接输入youtube"的网址
- 然后我进入 youtube 登录.
第二个站点如何检测到我已经登录.它们是不同的域.Youtube 无法读取 Gmail 的 cookie.
我读过的关于单点登录的所有解决方案都不允许这样做.客户端总是请求中央登录应用程序的许可.在我的示例中,YouTube 不知道我是登录 Gmail 的同一用户(实际上它确实知道,但我不明白如何)
请注意,我手动输入了youtube"的网址.我不会点击 gmail 上方工具栏中的 youtube 图标(在这种情况下,gmail 可能会通过 url 传递一些身份验证参数).
cookies 是在特定域上设置的.例如:
setcookie(name,value,expire,path,domain)当您登录 gmail 时,在mail.google.com"之前,您已被重定向到accounts.google.com";然后到mail.google.com"因此 cookie 位于accounts.google.com"上;
在这种情况下,域是accounts.google.com";并且路径是/";(主路径).
当您请求www.youtube.com"时然后你点击连接"它要求accounts.google.com"快速,因此您无法看到此重定向并检查您是否在accounts.google.com"上有 cookie.如果是这样,它会检查 cookie 是否有效且未过期,或者用户是否未被禁止......然后它会将您重定向到www.youtube.com/signin?loginthisSession=Sessionid".此请求包含从accounts.google.com"的 cookie 中捕获的 sessionid cookie 的值.
在最后一步中,www.youtube.com"记录您并在域www.youtube.com"上设置自己的 cookie;并保存它们.
所以诀窍在于 302 HTTP 重定向.
更新
我不知道为什么人们总是提到 iframe 看看这个问题在 2016 上发布的日期,当时谷歌没有使用 iframe 正如我提到的网络流量捕获,你可以看到 SetSID 意思是从 accounts.google.dz(com) 设置 SESSION_ID 的 cookie,然后重定向到 youtube.com 无法使用 trought iframe 不同域 安全措施 您无法从域重定向到域iframe 两者都请在发布前阅读
I don't understand how google achieve the following mechanism of single sign on:
- I login in gmail for example (I suppose this creates a cookie withmy authorization)
- I open a new tab and direct type the url of "youtube"
- Then I enter youtube logged in.
How can this second site detect that I've already been logged in. They are different domains. Youtube can't read the cookie of Gmail.
All the solutions I've read about Single sign on don't allow this. The client always ask permission to a central login app. In my example YouTube doesn't know I am the same user logged in Gmail (actually it does know, but I don't understand how)
Note that I type the url of "youtube" by hand. I don't clic the youtube icon from the upper toolbar of gmail (In that case gmail may pass some auth params through the url for example).
The cookies are set on specific domains. Ex:
setcookie(name,value,expire,path,domain)
When you log in on gmail, before "mail.google.com", you have been redirected to "accounts.google.com" then to "mail.google.com" so the cookies are on "accounts.google.com" too.
In this case, the domain is "accounts.google.com" and the path is "/" (the home path).
When you request "www.youtube.com" then you click on "connection" it requests "accounts.google.com" fast so you can't see this redirection and checks if you have cookies on "accounts.google.com". If so, it checks if the cookies are valid and not expired, or user not banned... Then it redirects you to "www.youtube.com/signin?loginthisSession=Sessionid". This request contains the value of the of sessionid cookie catched from the cookies of "accounts.google.com".
In the last step, "www.youtube.com" logs you and set its own cookie on the domain "www.youtube.com" and saves them.
So the trick is on the 302 HTTP redirect.
Update
i do not know why people keep mentioning iframe take a look at the date whene this questions was posted on 2016 google was not using then iframe as i mentioned the capture of web traffic as you can see SetSID wich means set the cookie of SESSION_ID from accounts.google.dz(com) then redirects to youtube.com it can not be used trought iframe differant domains security measure you can not be redirected from domain to domain trought iframe neither please read this before posting
这篇关于在多个域上自动 cookie 单点登录 - 如谷歌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
