与其他域共享cookie
[英]Share cookies with other domains
问题描述
I know that it's possible to allow other domains to read our domain cookie as long as they're sub domains of the same parent domain. 
我知道只要它们是同一父域的子域 ,就可以允许其他域读取我们的域cookie。
For example, intranet.abc.com and extranet.abc.com can allow cookies to be read by each other by specifying the domain property to .abc.com 例如, intranet.abc.com和extranet.abc.com可以通过为.abc.com指定域属性来允许彼此读取.abc.com
Now, I'm really in need that I can allow other domains to read my domain cookie (they are not sub domains of the same domain). 现在,我真的需要我可以允许其他域读取我的域cookie(它们不是同一域的子域 )。 I have searched a lot of discussions on the internet => all say "NO" due to security issues . 我在互联网上搜索了很多讨论=> 由于安全问题,所有人都说“不” 。 I'm not sure if I missed a solution out there because I don't see any security issues in this case. 我不确定我是否错过了那里的解决方案,因为在这种情况下我没有看到任何安全问题。 My server clearly ALLOWS this cookie to be read by an XYZ.COM domain because the cookie does not contain any sensitive information and XYZ.COM domain is my trusted domain, 我的服务器明确允许这个cookie由XYZ.COM域读取,因为cookie不包含任何敏感信息,而XYZ.COM域是我的可信域,
In my opinion, there should be a way to specify a list of other domains that are allowed to read a particular cookie in our domain , just like CORS, the server can decide if the information should be available to some trusted domains. 在我看来, 应该有一种方法来指定允许在我们的域中读取特定cookie的其他域的列表 ,就像CORS一样,服务器可以决定信息是否应该可用于某些可信域。
Please tell me if it's possible without using a workaround and if so, how to do it? 如果没有使用解决方法,请告诉我是否可行,如果是,该怎么做? If it's not possible, I really would like to know why. 如果不可能,我真的想知道原因。
Some information about what I'm implementing: 有关我正在实施的内容的一些信息:
I'm implementing a file download and on client side I need to detect whether the download is complete by periodically checking for a download token in the cookie using an interval in javascript. 我正在实现文件下载,在客户端我需要通过使用javascript中的间隔定期检查cookie中的下载令牌来检测下载是否完成。
The logic of the current system I'm working on at the moment may store the files in 2 different servers. 我目前正在处理的当前系统的逻辑可能将文件存储在2个不同的服务器中。 If the file is missing in the current server, it will download file in another server (another domain) 如果当前服务器中缺少该文件,它将在另一个服务器(另一个域)中下载文件
Thank you very much. 非常感谢你。
2 个解决方案
解决方案1
7 2014-06-07 01:33:52
You can read off-domain cookies by opening an iframe to specially instrumented page on the other domain and using the window.postMessage API to communicate between windows. 您可以通过打开iframe到其他域上的特殊检测页面并使用window.postMessage API在窗口之间进行通信来读取域外cookie。 HTML5 only, obviously. 显然只有HTML5。
Simplifying the postMessage API somewhat for brevity, consult MDN developer pages for full details. 为简洁起见,简化postMessage API,请参阅MDN开发人员页面以获取完整详细信息。 https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage
<iframe id="ifrm" src="http://other.domain.com/getCookie.html"></iframe>
<script>
var iframe = document.getElementById('ifrm');
window.addEventListener('message', function (e) {
if (e.source === iframe.contentWindow && e.origin === 'other.domain.com') {
var cookie = e.data;
//do something with cookie
}
});
//wait for the iframe to load...maybe ping it first...then
iframe.contentWindow.postMessage('give me the cookie:cookie name', 'other.domain.com');
</script>
/* in getCookie.html */
<script>
window.addEventListener('message', function (e) {
if (e.origin === 'your.domain.com') {
var soughtCookie = /give me the cookie\:(.*)/.exec(e.data)[1];
// read the cookie
var cookie = getCookieFn(soughtCookie)
e.source.postMessage(cookie.toString(), 'your.domain.com');
}
}, false);
</script>
解决方案2
1 2014-01-08 08:53:08
you could have a backend web service which shares the contents of the cookie with the 3rd party, but then your server would have to hold the cookie value in session and have a session id that is some how shared with the other website. 您可以拥有一个与第三方共享cookie内容的后端Web服务,但是您的服务器必须在会话中保存cookie值并且具有与其他网站共享的会话ID。
Can also special page and redirection so that the cookie value is read and passed to your domain as a form submit. 还可以使用特殊页面和重定向,以便读取cookie值并将其作为表单提交传递到您的域。
Lets say your domain is yours.com and on page yours.com/page1 you set some cookie value. 让我们说您的域名是yours.com,并在页面yours.com/page1上设置一些cookie值。
Now xyz.com , another domain wants that value. 现在是xyz.com,另一个域名想要这个价值。 xyz.com/somePage, redirects to yours.com/spl (along with parameter of the page to send user to say xyz.com/somePage2), Now yours.com/spl gets the cookie via JavaScript and then redirects to xyz.com/somePage2 passing the cookie value as a POST or a GET parameter. xyz.com/somePage,重定向到yours.com/spl(以及发送用户说xyz.com/somePage2的页面参数),现在yours.com/spl通过JavaScript获取cookie,然后重定向到xyz.com / somePage2将cookie值作为POST或GET参数传递。
Full working sample at http://sel2in.com/pages/prog/html/acrossSites/make.php (with a simple web service) http://sel2in.com/pages/prog/html/acrossSites/make.php上的完整工作示例(使用简单的Web服务)
AJAX not example wont work but can do it with iframes. AJAX不是例子,但是可以用iframe来做。
Code : 代码:
coki.js (goes on the first site that wants to expose cookies) coki.js(进入第一个想要公开cookie的网站)
function setCookie(cname,cvalue, daysExpire)
{
var d = new Date();
d.setTime(d.getTime()+(daysExpire * 24 * 60 * 60 * 1000));
var expires = "expires=" + d.toGMTString();
document.cookie = cname + "=" + cvalue + "; " + expires + " ; path=/ ;"
}
function getCookie(cname)
{
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i<ca.length; i++)
{
var c = ca[i].trim();
if (c.indexOf(name)==0) return c.substring(name.length,c.length);
}
return "";
}
wsa.php (goes on site 1). wsa.php(进入网站1)。 To make it more secure can check the calling page/ container URL and use a dynamic secret key. 为了使其更安全,可以检查调用页面/容器URL并使用动态密钥。
<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
error_reporting(E_WARNING);
$d = $_REQUEST['s'];
if($d != "secret565"){
echo "Bad secret bye";
return;
}
$n = $_REQUEST['n'];
if($n == ""){
echo "No cookie name, bye";
return;
}
?>
<script src=coki.js>
</script>
<script >
n = '<?php echo "$n"?>'
v = getCookie(n)
//alert("For " + n + ", got :" + v + ".")
window.parent.gotVal(n, v)
</script>
getc.html getc.html
Goes on site 2, gets the value of cookie C1 or other cookie from site 1 via wsa.php, using an iframe. 在站点2上,使用iframe通过wsa.php从站点1获取cookie C1或其他cookie的值。 wsa.php reads the secret auth key and cookie name from its parameters, then calls a javascript function in containing page to pass back values wsa.php从其参数中读取秘密身份验证密钥和cookie名称,然后在包含页面中调用javascript函数以传回值
<form name=f1 action=ws.php method=post>
<h1>Get cookie from Javascript sample </h1>
http://sel2in.com/pages/prog/html/acrossSites/
<table>
<tr><td>Url from <td/><td> <input name=u1 value='wsa.php' size=100><td/></tr>
<tr><td>Cookie Name <td/><td> <input name=n value='C1'><td/></tr>
<tr><td>Secret <td/><td> <input name=s value='secret565'><td/></tr>
<tr><td><input type=button value='Go' onclick='s1do()' > <td/><td><td/></tr>
</table>
</form>
<div id = result>result here</div>
<div id = cc1>container</div>
v 2 c
<script>
function gotVal(n, v){
document.getElementById("result").innerHTML = "For " + n + ", got :" + v + "."
}
function s1do(){
document.getElementById("cc1").innerHTML = ""
n1 = document.f1.n.value
s1 = document.f1.s.value
url = document.f1.u1.value
qry = "s=" + escape(s1) + "&n=" + escape(n1)
s = "<iframe border=0 height =1 width=1 src=\"" + url + "?" + qry + "\" ></iframe>"
document.getElementById("cc1").innerHTML = s
}
</script>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.