javascript 跨域 cookie - 一个可能的新想法
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16186645/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross-domain-cookies - a maybe new idea
提问by Raphael Jeger
My buddy Carsten Lau came along with an interesting idea on how to read cross-domain-cookies.
我的好友 Carsten Lau 提出了一个关于如何阅读跨域 cookie 的有趣想法。
Situation: You want to read a cookie from domain "A" that was set on domain "B". Idea: From the client on domain "A", you execute a get-request to a dynamic resource on domain "B" – f.e. an image or javascript, which on the server "B" is in fact a programming language capable of reading cookies like PHP, Java etc. With that request, you send an unique identifier like a session id. So the code on the client which looks at a site on domain "A" could look like this:
情况:您想从域“A”中读取设置在域“B”上的 cookie。想法:从域“A”上的客户端,您对域“B”上的动态资源执行获取请求 – fe 图像或 javascript,它在服务器“B”上实际上是一种能够读取 cookie 的编程语言如 PHP、Java 等。通过该请求,您发送一个唯一标识符,如会话 ID。因此,查看域“A”上站点的客户端上的代码可能如下所示:
<img src="www.domainB.com/?getCookie.php?sessionID=1234">
Now comes the funny part, server B reads on server-side the cookie set by domain "B" and writes the result with the provided session-id either in a DB accessible by domain "A" or returns a response which contains the cookie information to the client on domain "A" which then sends it via AJAX to server "A".
现在是有趣的部分,服务器 B 在服务器端读取域“B”设置的 cookie,并使用提供的会话 ID 将结果写入域“A”可访问的数据库中或返回包含 cookie 信息的响应到域“A”上的客户端,然后通过 AJAX 将其发送到服务器“A”。
I am pretty sure there is a flaw we didn't find yet. I personally believe server "B" will not be able to read cookie informations because the client-browsers URL points to domain "A", but of course the "getCookie"-request explained above points to "B".
我很确定有一个我们还没有发现的缺陷。我个人认为服务器“B”将无法读取 cookie 信息,因为客户端浏览器 URL 指向域“A”,但当然上面解释的“getCookie”请求指向“B”。
Please tell us what you think about it, why it works or why it can't work. A small proof of concept was, to my big surprise, successful.
请告诉我们您的想法,为什么它有效或为什么它不能工作。令我惊讶的是,一个小小的概念证明是成功的。
回答by Darin Dimitrov
This is normal, because you have control of the 2 domains. This is how most websites achieve cross domain single-sign-on by the way. But if you do not have control of the second domain you cannot read cookies from it.
这是正常的,因为您可以控制这两个域。顺便说一下,大多数网站都是这样实现跨域单点登录的。但是,如果您无法控制第二个域,则无法从中读取 cookie。
回答by jmealy
I put together an NPM package to help with cross-domain cookie/localStorage usage. I know this post is a bit old, but I thought I'd share, in case anyone else needs help with this:
我整理了一个 NPM 包来帮助跨域 cookie/localStorage 使用。我知道这篇文章有点旧,但我想我会分享,以防其他人需要帮助:
By using an iframe hosted on Domain A, you can store all of your user data on Domain A, and reference that data by posting requests to the Domain A iframe.
通过使用域 A 上托管的 iframe,您可以将所有用户数据存储在域 A 上,并通过向域 A iframe 发布请求来引用该数据。
Thus, Domains B, C, etc. can inject the iframe and post requests to it to store and access the desired data. Domain A becomes the hub for all shared data.
因此,域 B、C 等可以注入 iframe 并向其发布请求以存储和访问所需的数据。域 A 成为所有共享数据的中心。
With a domain whitelist inside of Domain A, you can ensure only your dependent sites can access the data on Domain A.
通过域 A 内的域白名单,您可以确保只有您的依赖站点可以访问域 A 上的数据。
The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested. The README in the above NPM module goes more in depth into the procedure.
诀窍是将代码放在域 A 上的 iframe 中,它能够识别正在请求哪些数据。上述 NPM 模块中的 README 更深入地介绍了该过程。
Hope this helps!
希望这可以帮助!
