问题描述
我看到iframe / p3p技巧是最受欢迎的一个,但我个人不喜欢它,因为javascript +隐藏字段+框架真的让它看起来像一个黑客工作。我还遇到了使用Web服务进行通信的主从方法(),它似乎更好,因为它对用户是透明的,它对不同的浏览器是鲁棒的。
I see iframe/p3p trick is the most popular one around, but I personally don't like it because javascript + hidden fields + frame really make it look like a hack job. I've also come across a master-slave approach using web service to communicate (http://www.15seconds.com/issue/971108.htm) and it seems better because it's transparent to the user and it's robust against different browsers.
有什么更好的方法,每个的优点和缺点是什么?
Is there any better approaches, and what are the pros and cons of each?
推荐答案
我的方法将一个域指定为中心域,将其他任何域指定为卫星域。
My approach designates one domain as the 'central' domain and any others as 'satellite' domains.
(或呈现持久登录cookie),登录表单最终将其数据发送到中心域上的URL,以及隐藏的表单元素,表示它来自哪个域(仅为了方便,因此用户被重定向回
When someone clicks a 'sign in' link (or presents a persistent login cookie), the sign in form ultimately sends its data to a URL that is on the central domain, along with a hidden form element saying which domain it came from (just for convenience, so the user is redirected back afterwards).
中央域的此页面然后继续设置会话cookie(如果登录进行顺利),并重定向回用户登录的任何域,在URL中为该会话所独有的令牌。
This page at the central domain then proceeds to set a session cookie (if the login went well) and redirect back to whatever domain the user logged in from, with a specially generated token in the URL which is unique for that session.
然后,卫星URL的页面检查该令牌,看看它是否对应于令牌是否为会话生成,如果是,则重定向到没有令牌的自身,并设置本地cookie。现在卫星域也有一个会话cookie。此重定向从URL中清除令牌,因此用户或任何搜寻器不太可能记录包含该令牌的URL(虽然如果它们这样做,那么令牌可以是一次性令牌)。
The page at the satellite URL then checks that token to see if it does correspond to a token that was generated for a session, and if so, it redirects to itself without the token, and sets a local cookie. Now that satellite domain has a session cookie as well. This redirect clears the token from the URL, so that it is unlikely that the user or any crawler will record the URL containing that token (although if they did, it shouldn't matter, the token can be a single-use token).
现在,用户在中央域和卫星域都有一个会话cookie。但是如果他们访问另一颗卫星怎么办?
Now, the user has a session cookie at both the central domain and the satellite domain. But what if they visit another satellite? Well, normally, they would appear to the satellite as unauthenticated.
然而,在我的应用程序中,每当用户处于有效会话中时,所有到另一个页面的链接的链接卫星域具有附加到其上的?或。我保留这个'查询字符串意味着检查中央服务器,因为我们认为这个用户有一个会话。也就是说,在任何HTML页面上都不显示任何令牌或会话ID,只有字母's'无法识别某人。
However, throughout my application, whenever a user is in a valid session, all links to pages on the other satellite domains have a ?s or &s appended to them. I reserve this 's' query string to mean "check with the central server because we reckon this user has a session". That is, no token or session id is shown on any HTML page, only the letter 's' which cannot identify someone.
接收这样的s标签会,如果没有有效的会话,做一个重定向到中央域说你能告诉我这是什么吗?
A URL receiving such an 's' query tag will, if there is no valid session yet, do a redirect to the central domain saying "can you tell me who this is?" by putting something in the query string.
当用户到达中央服务器时,如果他们被认证,那么中央服务器将只接收他们的会话cookie。然后,它将用另一个单用户令牌发送用户回到卫星,卫星将在登录之后视为卫星(见上文)。即,卫星现在将在该域上设置会话cookie,并重定向到自身以从查询字符串中移除令牌。
When the user arrives at the central server, if they are authenticated there the central server will simply receive their session cookie. It will then send the user back to the satellite with another single use token, which the satellite will treat just as a satellite would after logging in (see above). Ie, the satellite will now set up a session cookie on that domain, and redirect to itself to remove the token from the query string.
我的解决方案无需脚本, iframe支持。它需要添加到任何跨域网址,用户可能还没有在该网址的cookie。我想到了一种方法来解决这个问题:当用户首次登录时,为每个域设置一个重定向链,在每个域上设置一个会话cookie。我没有实现这一点的唯一原因是,它将是复杂的,你需要能够有一个设置顺序,这些重定向将发生在何时停止,并阻止你扩展超过15个域等(太多,你变得危险地接近许多浏览器和代理的重定向限制)。
My solution works without script, or iframe support. It does require '?s' to be added to any cross-domain URLs where the user may not yet have a cookie at that URL. I did think of a way of getting around this: when the user first logs in, set up a chain of redirects around every single domain, setting a session cookie at each one. The only reason I haven't implemented this is that it would be complicated in that you would need to be able to have a set order that these redirects would happen in and when to stop, and would prevent you from expanding beyond 15 domains or so (too many more and you become dangerously close to the 'redirect limit' of many browsers and proxies).
这篇关于你最喜欢的跨域cookie共享方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!