Cookie browser behaviour on redirects from a domain to another
Question
Suppose that amazon.com sets a redirect header on its homepage to google.com. Upon visiting amazon.com, the browser fetchs the response, reads from the header that it should head over to google.com, and proceeds to make another request to google.com. I understand that in this second request, the browsers sends the cookies that the user may previously had before with google.com, is this correct? That is to say, if the user was previously logged in to his account on google.com he will appear logged in when amazon.com redirects there.
Just trying to make sure I understand all corner cases in interaction with external parties in a web app.
1 answers
solution1
1 ACCPTED 2014-08-13 22:23:56
"The browsers sends the cookies that the user may previously had before with google.com, is this correct?"
Yes.
Unless the cookie has expired, whenever a domain/path is hit that has a cookie stored for it, that cookie is automatically sent with the request headers.
http://tools.ietf.org/html/rfc6265#section-4.2
However Google's login procedures are fairly complex as it covers all their domains and systems. It may redirect around a little to reestablish the users login via a "remember-me token" and a fresh cookie being set from their central auth domain. They aren't the best straight-forward example but your general understanding of it is correct.
The definitive guide to form-based website authentication
This community wiki includes some good details on different authentication techniques, including "remember-me tokens".
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.