十字(子)域的Ajax表单提交与验证码 [英] Cross (sub)domain ajax form submit with captcha
问题描述
我快到了以下问题。一个前端网站(www.domain.com)用于填补属于后端(backend.domain.com)的形式。这种形式的保护与验证码,并验证码参考值被保存在用户会话(在PHP)。
提交的材料应当基于Ajax的,这使一些问题的交叉领域。因此,一个写了www.domain.com一个小PHP代理。这个代理请求后端的形式。当用户提交表单,一个Ajax请求发送到代理服务器和代理服务器发送一个验证请求传递给后台,并返回结果。
这一切都工作得很好,除了那保存在用户会话中引用的验证码。由于前端网站将表单提交给后端,后端将使用一个会话前端。
什么是解决这一问题的最好方法是什么?我想出了2种方法。第一是将包括在形式(散列)的验证码的参考,从而使不需要的会话。另一种方法是将直接从后端包括的形式,使用iframe。第二种方法可能会工作得很好,但感觉真的很丑陋。你有什么建议了这样的情况?
更新:描述的情况的序列图:
客户端www.domain.com backend.domain.com
| | |
| -------访问网站----------> | |
| | -----拿到形式-----> |
| |< ----申报表--- |
|< ------申报表---------- | |
| | |
| -------提交表单---------> | |
| | -----提交表单 - > |
| |< ----送答复---- |
|< ------验证码失败------- | |
VVV
这感觉就像一个cookie(或会话号)的问题。为会话cookie中设置的有效期为WWW网站,而不是后台的网站。但是,由于所有的通信通过前端的推移,你能不能用前端网站做的授权?
客户端www.domain.com backend.domain.com
| | |
| -------访问网站----------> | |
| | --get登录表单 - > |
| |< ----申报表--- |
| |集饼干|
|< -return登录表单+ cookie-- | |
| | |
| ----提交登录表单------> | |
| | -----提交表单 - > |
| | |检查饼干
| |< ----送答复---- |
|< ------验证码失败------- | |
VVV
WWW网站必须设置cookie,因为它是与客户沟通,但后端检查它 - 因为Cookie设置为不同的域,后端无法访问它。解决方法:WWW要读取cookie并转发cookie数据到后端处理
I'm running into the following problem. A frontend website (www.domain.com) is used to fill in a form that belongs to the backend (backend.domain.com). This form is protected with a captcha, and the reference value for the captcha is saved in the user session (in PHP).
The submission should be Ajax based, which gives some problems with the cross domains. Therefore a wrote a little PHP proxy on www.domain.com. This proxy requests the form of the backend. When the user submits the form, an Ajax request is made to the proxy and the proxy sends a validation request to the backend and returns the result.
All of this works quite well, except for the captcha that saves the references in the user session. Since the frontend website submits the form to the backend, the backend will use a session for the frontend.
What would be the best way to fix this? I've came up with 2 methods. The first would be to include the reference of the captcha in the form (hashed), so that no sessions are needed. The other way would be to include the form directly from the backend, using an iframe. This second method will probably work fine, but it feels really ugly. What would you suggest for a situation like this?
Update: a sequence diagram describing the situation:
Client www.domain.com backend.domain.com
| | |
|-------visit site---------->| |
| |-----get form----->|
| |<----return form---|
|<------return form----------| |
| | |
|-------submit form--------->| |
| |-----submit form-->|
| |<----send reply----|
|<------captcha failed-------| |
v v v
It feels like a cookie (or session number) problem. The cookie set for the session is valid for the www site, but not for the backend site. But since all of the communication goes via your front-end, could you not use the front-end site to do the authorisation?
Client www.domain.com backend.domain.com
| | |
|-------visit site---------->| |
| |--get login form-->|
| |<----return form---|
| |set cookie |
|<-return login form+cookie--| |
| | |
|----submit login form------>| |
| |-----submit form-->|
| | |check cookie
| |<----send reply----|
|<------captcha failed-------| |
v v v
The www site must be setting the cookie since it's communicating with the client, but the backend checks it - as the cookie is set for a different domain, backend can't access it. Solution: www should read the cookie and forward the cookie data to backend for processing.
这篇关于十字(子)域的Ajax表单提交与验证码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
