跨不同子域(但不是全部)进行身份验证
[英]Authenticating across different subdomains (but not all)
问题描述
I have a site set up on www.domain.com , the site can authenticate users and persist their credentials in a cookie.
我在www.domain.com上设置了一个站点,该站点可以对用户进行身份验证并将其凭据保存在 cookie 中。
On occasions the users access handlers that are set up on different servers on a different sub domain.有时,用户访问在不同子域的不同服务器上设置的处理程序。 handlers.domain.com
I can't afford to use wildcard subdomain cookies (Cookies should not be available for other subdomains)我不能使用通配符子域 cookies(Cookie 不应该可用于其他子域)
My solution for access control up until now was that every URL used for handlers.domain.com had a guid specific to the user.到目前为止,我的访问控制解决方案是每个用于handlers.domain.com的 URL 都有一个特定于用户的 guid。 The handlers on the other site would assume the identity of the guid owner.另一个站点上的处理程序将假定 guid 所有者的身份。 This of course is not such a good security practice.这当然不是一个很好的安全实践。
i was thinking about an alternative solution: All links to handlers.domain.com will actually be links to a redirector script on www.domain.com that will redirect to an encrypted time stamped url on handlers.domain.com which will then know for sure that it was accessed as a direct authenticated redirection from www.domain.com . i was thinking about an alternative solution: All links to handlers.domain.com will actually be links to a redirector script on www.domain.com that will redirect to an encrypted time stamped url on handlers.domain.com which will then know for确保它是作为来自www.domain.com的直接认证重定向访问的。 This solution will work fine on GET scenarios but will fail with handlers expecting POST data (up do big uploaded files)此解决方案在 GET 场景下可以正常工作,但会因处理程序期望 POST 数据而失败(上传大文件)
Does anyone know or can think of a better solution or have any insight on my solution?有谁知道或可以想到更好的解决方案或对我的解决方案有任何见解?
(In this case I am using ASP.NET but the solution will probably be platform agnostic, so I will tag this with various web platforms) (在这种情况下,我使用的是 ASP.NET 但解决方案可能与平台无关,因此我将使用各种 web 平台标记它)
Thanks!谢谢!
2 个解决方案
解决方案1
1 已采纳 2011-06-14 12:56:09
As you do not want to use cookies to establish a session (group of requests) you need to find other ways.由于您不想使用 cookies 来建立 session(请求组),因此您需要寻找其他方法。 As the information of the cookie is passed readable within the HTTP request, I do not see a problem if you for that one particular request pass that information as part of a POST request.由于 cookie 的信息在 HTTP 请求中以可读方式传递,因此如果您针对该特定请求将该信息作为 POST 请求的一部分传递,我认为没有问题。
If you prefer a GET request I would additionally add a flag inside the users server-side session prior the redirect so to give the script that is the destination of the redirect the possibility to verify the validity of the request on the server-side.如果您更喜欢 GET 请求,我还会在重定向之前在用户服务器端 session 中添加一个标志,以便为重定向目标的脚本提供验证服务器端请求有效性的可能性。
解决方案2
0 2011-06-14 12:56:05
You said you "can't afford to use wildcard subdomain cookies (Cookies should not be available for other subdomains)".您说您“不能使用通配符子域 cookies(Cookie 不应该可用于其他子域)”。 Does that mean you can't afford it monetarily or you you don't want the user to have access to all subdomains?这是否意味着您买不起它,或者您不希望用户访问所有子域? If it's the second, you could still use subdomain cookies by putting in an encrypted value with that user's ID and check it versus access permissions on your various subdomains.如果是第二个,您仍然可以使用子域 cookies,方法是使用该用户的 ID 输入一个加密值,并检查它与您各个子域的访问权限。 That keeps everything at the server where it's more secure versus at the URL level.与 URL 级别相比,这使服务器上的所有内容都更加安全。 The only way a potential hacker can get past it is to guess another user's ID and figure out your keys for properly encrypting it.潜在黑客可以通过它的唯一方法是猜测另一个用户的 ID 并找出您的密钥以正确加密它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.