跨域 PHP 会话
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1339984/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross domain PHP Sessions
提问by
I am building a site which allows a user to point a CNAME record at my site to run their "profiles", this allows your OWN domain name to load your profile on my site.
我正在构建一个站点,它允许用户在我的站点上指向 CNAME 记录以运行他们的“配置文件”,这允许您自己的域名在我的站点上加载您的配置文件。
This is raising all sorts of issues related to sessions. I have seen virb do it. I don't see any of the information that is session based in an iFrame... but there IS an iFrame present on the page.
这引发了与会议相关的各种问题。我已经看到 virb 这样做了。我没有看到任何基于 iFrame 的会话信息……但是页面上有一个 iFrame。
I can get the domain stuff to work, I just lose session data... Any ideas?
我可以让域的东西工作,我只是丢失了会话数据......有什么想法吗?
(Here is an example --Links to Virb-- http://www.agentspider.com/)
(这是一个例子——链接到 Virb—— http://www.agentspider.com/ )
回答by bucabay
You can't set cookies cross domain by default. I believe, you can set up a P3P file(s) to enable it. http://p3ptoolbox.org/guide/section4.shtml#IVdI haven't done this myself, so I don't know how much of the browsers implement it or if it even works that way.
默认情况下,您不能跨域设置 cookie。我相信,您可以设置一个 P3P 文件来启用它。http://p3ptoolbox.org/guide/section4.shtml#IVd我自己没有这样做过,所以我不知道有多少浏览器实现了它,或者它是否以这种方式工作。
Virb looks like it's just using JavaScript. It has an AJAX library, that makes a JSON-Prequest to the virb server if no session cookie is set. (first load of Firefox you can see this in Firebug) The JSON response just lets the page know if the user is logged in or not, and updates the portions of the page that need to reflect user status.
Virb 看起来只是使用 JavaScript。它有一个 AJAX 库,如果没有设置会话 cookie ,它会向 virb 服务器发出JSON-P请求。(第一次加载 Firefox,您可以在 Firebug 中看到这一点)JSON 响应只是让页面知道用户是否已登录,并更新需要反映用户状态的页面部分。
So what's happening is the page embeds some JS from virb.com. Since the domain is virb.com it cookies set to virb.com are sent to the server. The server then responds with the result of the cookie to the external site.
所以发生的事情是页面嵌入了来自 virb.com 的一些 JS。由于域是 virb.com,因此将设置为 virb.com 的 cookie 发送到服务器。然后服务器将 cookie 的结果响应给外部站点。
In the case of virb, which won't work properly without JS, I think thats a good option. However, you could do the same with HTTP Redirects.
对于 virb,如果没有 JS 将无法正常工作,我认为这是一个不错的选择。但是,您可以对 HTTP 重定向执行相同的操作。
If the HTTP Host is not the main domain (example.com):
如果 HTTP 主机不是主域(example.com):
if (!$_COOKIE['sessionid'] && $_SERVER['HTTP_HOST'] != 'example.com') {
// redirect to your main site
header('Location: http://example.com');
}
On the main site, set the cookie, and send the user back to the external domain (domain.com) passing the session id in the Location.
在主站点上,设置 cookie,并将用户发送回外部域 (domain.com),并在 Location 中传递会话 ID。
header('Location: http://domain.com.com?sessid='.urlencode($_COOKIE['sessionid']));
The final bit is to redirect back to the page you were on now that you have the same session going.
最后一点是重定向回您现在所在的页面,因为您正在进行相同的会话。
setCookie(...); // sessid in $_GET['sessid']
header('Location: http://domain.com/');
Note, in actuality you can send the page you're currently on back to example.com in the first step, so you can redirect back to it later.
请注意,实际上,您可以在第一步中将当前所在的页面发送回 example.com,以便稍后重定向回该页面。
Since you're just using headers (you don't need to output content) and in most cases HTTP/1.1 so you'll be on the same TCP socket I think it's pretty efficient and will be more supported then the JavaScript option.
由于您只使用标头(您不需要输出内容)并且在大多数情况下使用 HTTP/1.1,因此您将使用同一个 TCP 套接字,我认为它非常有效,并且比 JavaScript 选项更受支持。
Edit: don't forget to set the cookie when you get back to external domain.
编辑:回到外部域时不要忘记设置 cookie。
Last step is optional but it keeps the sessid from being in a URL. Which is more of a security issue then keeping it in HTTP headers.
最后一步是可选的,但它可以防止 sessid 出现在 URL 中。这更像是一个安全问题,然后将其保存在 HTTP 标头中。
回答by Anti Veeranna
The only way is to add session id-s to the url-s that go from one domain to another (or add that session id to the iframe src url), and then code your session storage backend to handle this.
唯一的方法是将会话 id-s 添加到从一个域到另一个域的 url-s(或将该会话 id 添加到 iframe src url),然后编写会话存储后端来处理此问题。
Of course, you need to consider all the security issues that this approach brings along.
当然,您需要考虑这种方法带来的所有安全问题。
回答by Yuda Prawira
Nothing more simple as:
没有比这更简单的了:
1) create domain1.com/client.html with source:
1) 使用源创建 domain1.com/client.html:
<script type="text/javascript" src="domain2.com/server_set_cookie.php"></script>
2) create domain2.com/server_set_cookie.php with php source:
<script type="text/javascript" src="domain2.com/server_set_cookie.php"></script> 2) 使用 php 源创建 domain2.com/server_set_cookie.php:
header("p3p: CP=ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV");
setcookie($_REQUEST['cookie_name'], 'cookie_name', time()+3600);
http://smartcoding.wordpress.com/2009/07/12/setcookie-cross-domain-cookie-write/
http://smartcoding.wordpress.com/2009/07/12/setcookie-cross-domain-cookie-write/
回答by silverskater
not sure I understand your problem. Is it something like another domain calling something like www.userprofiles.com/profile.php?userid=1 and displaying the results? In this case profile.php will generate a new session id whenever it gets called. You need to set different ids for every external domain using your site and change profile.php to something like:
不确定我理解你的问题。它是否类似于另一个域调用 www.userprofiles.com/profile.php?userid=1 并显示结果?在这种情况下,profile.php 将在每次调用时生成一个新的会话 ID。您需要使用您的站点为每个外部域设置不同的 id,并将 profile.php 更改为:
if( isset($_REQUEST['sid']) ) session_id($_REQUEST['sid']);
if( isset($_REQUEST['sid']) ) session_id($_REQUEST['sid']);
session_start();
session_start();
and call the script like this www.userprofiles.com/profile.php?userid=1&sid=somesessionid1234
并像这样调用脚本 www.userprofiles.com/profile.php?userid=1&sid=somesessionid1234
