使用JSONP和饼干跨域登录 [英] Cross-domain login using JSONP and cookies
问题描述
如何才能允许用户登录到一个域,并自动登录到我的其他领域他们无需提交各个领域一种形式?
How can I allow users to log into one domain and automatically be logged into my other domains without them having to submit a form on each domain?
推荐答案
我们都知道,因为这presents安全风险的cookies不能访问跨域。然而,使用一些挂羊头卖狗肉,有办法解决这个。基本上,我们是在中央域设置为用户的cookie,使用脚本该cookie的存在检查,然后使用JSON-P回调该cookie复制到其他领域。更详细地说:
We all know that cookies are not accessible cross-domain as this presents a security risk. However, using some trickery, there are ways around this. Basically we are setting a cookie for the user on a central domain, checking for that cookie's existence using a script, then using a JSON-P callback to copy that cookie onto the other domains. In more detail:
第1步
的<形式为GT; 显示 mydomain.com (或 myotherdomain.com 等)应该张贴到 central.com/login
The <form> displayed on mydomain.com (or myotherdomain.com, etc) should POST to central.com/login
第2步
在 central.com/login ,用户名和密码进行验证和一个cookie设置在 central.com 包含该用户的唯一值域。然后,用户重定向到 mydomain.com
On central.com/login, the username and password are verified and a cookie is set on the central.com domain containing a unique value for that user. The user is then redirected back to mydomain.com
SELECT unique_value FROM users WHERE username = $username
set cookie on central.com containing unique_value
第3步
回 mydomain.com 我们嵌入到一个JavaScript调用 central.com/check 。
Back on mydomain.com we embed a javascript call to central.com/check.
<script type="text/javascript" src="http://central.com/check"></script>
第四步
在 central.com/check 我们检查的唯一的Cookie设置的用户。然后我们嵌入一个JavaScript回调,通知 mydomain.com 用户已登录。包括不敏感的用户数据,否则(JSON-P) hacker.com 可以嵌入这个脚本,并获得用户的信息。 (设置合适的访问控制头,只允许经过验证的域名可以减轻这种风险。)相反,我们创建了一个一次性的哈希基于时间戳,使 mydomain.com 可以验证认证。
On central.com/check we check if the unique cookie is set for the user. Then we embed a JavaScript callback (JSON-P) that informs mydomain.com that the user is logged in. No sensitive user data is included, otherwise hacker.com could embed this script and get the user's information. (Setting appropriate Access-Control headers to only allow verified domains can alleviate this risk.) Instead, we create a disposable hash based on the timestamp, so that mydomain.com can verify the authentication.
if cookie on central.com is valid
user_data = array(
'success' => true,
'uid' => $uid,
'time' => time_stamp,
'hash' => disposable_salted_hash( $uid, time_stamp )
)
echo 'setDomainCookie(' . json_encode(user_data) . ')'
第5步
回调函数然后执行,设置在 mydomain.com 饼干。最后,我们可以刷新页面或者只是使用他们登录(preferably两者)的JavaScript提醒用户。
The callback function is then executed, setting the cookie on mydomain.com. Finally, we can either refresh the page or just alert the user using JavaScript that they are logged in (preferably both).
function setDomainCookie( user_data ) {
if( user_data.success ) {
$.post('/setcookie', user_data, function() {
location.reload(true);
}
}
}
mydomain.com/setcookie 类似的第2步即可。当然,这是假设这两个网站可以访问同一个数据库(和code)
mydomain.com/setcookie is similar to Step 2. Of course this assumes both sites have access to the same database (and code)
if hash = disposable_salted_hash( $uid, time_stamp )
SELECT unique_value FROM users WHERE uid = $uid
set cookie on mydomain.com containing unique_value
第六步
下一次用户刷新页面,我们可以绕过JSON-P回调
The next time the user refreshes the page, we can bypass the JSON-P callback
if cookie on mydomain.com is valid
loggedin = true
else
delete cookie on mydomain.com
proceed to Step 3
注销
第7步
在 mydomain.com 链接应该去 central.com/logout
第8步
在 central.com/logout ,不仅是cookie的删除,但该用户的独特价值复位。用户被重定向到 mydomain.com
On central.com/logout, not only is the cookie deleted, but the unique value for that user is reset. The user is redirected back to mydomain.com
delete cookie on central.com
UPDATE users SET unique_value = new_random_value() WHERE username = $username
第9步
现在的唯一值复位,第六步从上面失败,该cookie也从 mydomain.com 删除,并且用户有效地退出。
Now that the unique value is reset, Step 6 from above fails, the cookie is also deleted from mydomain.com, and the user is effectively logged out.
-
这是至关重要的
central.com/check从第四步有
正确的头设置,使其不被缓存。
It is critical that
central.com/checkfrom Step 4 has the correct headers set so that it is not cached.
步骤3-5,当用户登录可能引起轻微的延迟。这是明智的,既刷新的和的表现出一定的,他们都记录在JavaScript的警报,这也是从步骤脚本重要3 ,以尽可能接近的顶部页面越好。
Steps 3-5 when the user is logging in may cause a slight delay. It's wise to both refresh and show some kind of JavaScript alert that they are logged in. It's also important for the script from Step 3 to be as close to the top of the page as possible.
在第5步上,您可以选择存储各个领域唯一的cookie的值。
In Step 5, you can optionally store a unique cookie value on each domain.
单独的 central.com 站点是不是真的有必要;您可以
只需要使用其他领域之一为中心域,如果你的愿望。
该域的逻辑显然是不同的。
The separate central.com domain is not really necessary; you can
just use one of the other domains as the central domain if you wish.
The logic for that domain would obviously be different.
有关这在Internet Explorer上工作,你需要一个P3P策略
连接到您的Cookie。
For this to work on Internet Explorer you will need a P3P policy attached to your cookies.
希望这是有帮助的人。我会非常有兴趣接收
反馈意见,尤其是如果有任何与此安全漏洞
方法。我认为最糟糕的黑客可以做的是复制的步骤3-5和您登录到 mydomain.com 你不知道,但是这将是无害的。
Hope this is helpful to people. I'd be very interested to receive
feedback, especially if there are any security flaws from this
method. I think the worst a hacker could do is replicate Steps 3-5 and log you in to mydomain.com without you knowing, but that would be harmless.
这篇关于使用JSONP和饼干跨域登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
