跨域 cookie - 一个可能的新想法

本文介绍了跨域 cookie - 一个可能的新想法的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我的好友 Carsten Lau 提出了一个关于如何读取跨域 cookie 的有趣想法.

My buddy Carsten Lau came along with an interesting idea on how to read cross-domain-cookies.

情况:您想从域A"中读取设置在域B"上的 cookie.想法:从域A"上的客户端，您对域B"上的动态资源执行 get-request – f.e.一个图像或 javascript，它在服务器B"上实际上是一种能够读取 cookie 的编程语言，如 PHP、Java 等.通过该请求，您发送一个唯一标识符，如会话 ID.因此，客户端上查看域A"上的站点的代码可能如下所示:

Situation: You want to read a cookie from domain "A" that was set on domain "B".Idea: From the client on domain "A", you execute a get-request to a dynamic resource on domain "B" – f.e. an image or javascript, which on the server "B" is in fact a programming language capable of reading cookies like PHP, Java etc. With that request, you send an unique identifier like a session id. So the code on the client which looks at a site on domain "A" could look like this:

<img src="www.domainB.com/?getCookie.php?sessionID=1234">

现在有趣的部分来了，服务器 B 在服务器端读取域B"设置的 cookie，并使用提供的会话 ID 将结果写入域A"可访问的数据库中或返回包含cookie 信息发送到域A"上的客户端，然后客户端通过 AJAX 将其发送到服务器A".

Now comes the funny part, server B reads on server-side the cookie set by domain "B" and writes the result with the provided session-id either in a DB accessible by domain "A" or returns a response which contains the cookie information to the client on domain "A" which then sends it via AJAX to server "A".

我很确定存在我们尚未发现的缺陷.我个人认为服务器B"将无法读取 cookie 信息，因为客户端浏览器 URL 指向域A"，但当然上面解释的getCookie"请求指向B".

I am pretty sure there is a flaw we didn't find yet. I personally believe server "B" will not be able to read cookie informations because the client-browsers URL points to domain "A", but of course the "getCookie"-request explained above points to "B".

请告诉我们您对它的看法、为什么它有效或为什么它无效.令我惊讶的是，一个小小的概念证明取得了成功.

Please tell us what you think about it, why it works or why it can't work. A small proof of concept was, to my big surprise, successful.

Carsten

跨域 cookie - 一个可能的新想法

问题描述

推荐答案