默认情况下，IE10跨子域共享Cookie [英] IE10 sharing cookies across subdomains by default

问题描述

与其他主要浏览器（IE8，IE9，Firefox，Chrome，Safari）不同，IE10显示为处理Cookie和子网域。

IE10 appears to handle cookies and subdomains differently than other major browsers (IE8, IE9, Firefox, Chrome, Safari).

我们广泛使用子网域来测试环境，例如：

We use subdomains extensively for test environments, e.g.:

• user1.devel.example.com


• user2.devel.example.com


• qa.example.com

我们的生产环境位于顶端，例如

And our production environment lives at the top, e.g. example.com (and technically at www.example.com as well).

我们使用php setcookie（$ name，$ value，$ expires）函数初始化（没有指定显式路径或域）设置cookie，然后通过为该值分配一个空字符串来清除cookie（当用户注销时）。

We use the php setcookie($name, $value, $expires) function naively (no explicit path or domain is specified) to set a cookie, and then clear cookies (when user logs out) by assigning an empty string to the value. This has always worked fine, and each unique subdomain used their own cookies.

IE10现在将共享在TLD中设置的cookie与所有子域。 我们观察到的初始症状是没有人可以退出子域。我们已经观察到以下几点：

IE10 now "shares" the cookie that was set in the TLD with all subdomains. The initial symptom we observed was that no one could log out of the subdomain. We've observed a few things:

• 即使它共享该值，也没有子域可以清除Cookie。


• 当TLD清除Cookie时，它会立即从所有子域中删除。

有没有人观察到IE10存储/应用与子域相关的Cookie的相似行为？是否有任何解决方法，除了显式地说明在发送初始Set-Cookie头时cookie应用于哪个域。

Has anyone else observed similar behavior to how IE10 stores/applies cookies relative to subdomains? Is there any workaround, other than being explicit about which domain the cookie applies to when sending the initial Set-Cookie header?

推荐答案

我刚刚遇到这个问题。

这是一个链接到探索这个错误/问题的人：
带有和未指定网域的Cookie（浏览器不一致）

Here is a link to someone exploring this bug/issue: Cookies with and without the Domain Specified (browser inconsistency)

这也可能是相关的：
为子域设置Cookie，但IE开发工具在根域显示cookie。我

This also might be related: Cookie set for subdomain, but IE Developer Tools show cookie at root domain. What am I missing?

我的结论是，当从非www根域（ http://sites.com ），在IE中，它被视为所有子域的通配符Cookie。 Chrome和Firefox不会显示此行为 - 它们将来自非www根域的Cookie设置为仅与该根关联。

My conclusion is that when setting a cookie from a non-www root domain ( http://sites.com ), in IE this is seen as a wildcard cookie for all subdomains. Chrome and Firefox do not show this behavior - they associate a cookie set from a non-www root domain as being associated only with that root.

我使用.net webforms，IIS和我的主机文件。我有3个网站：
a.site.com，b.site.com和site.com。他们都提供了完全相同的名称的cookie。让我们称之为ShoppingCart。

I coded up example sites using .net webforms, IIS and my hosts file. I had 3 sites: a.site.com, b.site.com and site.com. They all served cookies with the exact same name. Let's call it "ShoppingCart".

您可以在Cookie上设置多个属性，包括与Cookie相关联的域。我离开这个属性被定义/由undnet定义。当Chrome从每个网站接收到Cookie时，会将Cookie的网域显示为来自浏览器地址栏中列出的网域。在IE这不是这样。 IE将来自 http://sites.com 的Cookie视为定义为.sites.com，根据RFC的Cookie这意味着可从所有子域访问。

You can set multiple properties on cookies, including the domain the cookie should be associated with. I left this property to be defined/left undefined by .net. When Chrome received the cookie from each site, it displayed the domain of the cookie as being explicitly from the domain listed in the browser address bar. In IE this was not the case. IE treats the cookie from http://sites.com as being defined as ".sites.com" and according to the RFC for cookies this means it is accessible from all subdomains.

在IE中，如果多个Cookie设置为相同的名称，IE会按照设置的顺序将它们返回到服务器。因此，如果我先访问 http://sites.com ，然后访问 http ：//a.sites.com ，然后刷新，IE会将 http://sites.com 上的Cookie视为有效的Cookie向服务器发送 http://a.sites.com 请求，该请求与 http://a.sites.com ，但 http：//网站的Cookie除外。 com 是列表中的第一个。

Also in IE, if multiple cookies are set with the same name, IE returns them to the server in the order they were set. So if I visit http://sites.com first and then visit http://a.sites.com and then refresh, IE views the cookie from http://sites.com as a valid cookie to send to the server in it's request for http://a.sites.com which is sent along with the cookie for http://a.sites.com, except the cookie for http://sites.com is the first in the list.

在.net中，从我所见到的，cookie通常是通过键名而不是索引访问的。因此，当服务器端代码尝试访问名为ShoppingCart的键的值时，它将获取设置Cookie值的第一个网站的值 - 这将是 http://sites.com 。

In .net, from what I've seen, cookies are generally accessed by keyname and not by index. So when the server side code attempts to access the value for the key named "ShoppingCart", it will grab the value for the first site that set the cookie value - here that would be http://sites.com.

总之，如果您拥有所有共享相同Cookie的子域，请不要使用非www域名键/键名称，因为虽然Chrome / Firefox处理的域名关联正如您所期望的，IE会导致错误的行为。

In summary - don't use non-www domains when you have subdomains that all share the same cookie key names because, while Chrome/Firefox handle the domain association as you would expect, IE causes buggy behavior.

编辑 -

为了澄清任何阅读这篇文章的人，我使用IE10来探索这个问题。

Just to clarify for anyone reading this, I was using IE10 to explore this issue.

这篇关于默认情况下，IE10跨子域共享Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！