How Taobao obtains Cookie analysis across domains

I recently found a small detail when I used Taobao, so I wrote this article.

After logging on to www.taobao.com, we directly switch to the www.tmall.com domain name and find that "Hello, andyfaces" is displayed at the top of the www.tmall.com homepage. so we will analyze the implementation mechanism here.

First, the user name should be stored in the cookie, so in the taobao.com domain name, you can see that the user name is actually stored in the cookie in firefox, and tmall.com does not store the cookie:

It is certain that the cookie does not allow access from the domain. In both JS and Server applications, how does tmall.com access the cookie under taobao.com?

So I opened tmall.com and used firebug for debugging. I found a request statement like this.

The JS Code on the page is:

 
 

  
  
<script>    
  
  
        KISSY.getScript("http://www.taobao.com/go/app/tmall/login-api.php?"+Math.random())    
  
  
        </script>   
 
 

After seeing this, I probably knew how to deal with it. To confirm it, I searched for the KISSY. getScript function code and actually used the JS cross-origin JSONP solution:

 
 

  
  
getScript: function(url, success, charset) {    
  
  
            var isCSS = RE_CSS.test(url),    
  
  
                node = doc.createElement(isCSS ? 'link' : 'script'),    
  
  
                config = success, error, timeout, timer;    
  
  
    
  
  
                node.src = url;    
  
  
                node.async = true;    
  
  
    
  
  
            scriptOnload(node, function() {    
  
  
                    if (timer) {    
  
  
                        timer.cancel();    
  
  
                        timer = undef;    
  
  
                    }    
  
  
    
  
  
                    S.isFunction(success) && success.call(node);    
  
  
    
  
  
                    // remove script    
  
  
                    if (head && node.parentNode) {    
  
  
                        head.removeChild(node);    
  
  
                    }    
  
  
                });    
  
  
            head.insertBefore(node, head.firstChild);    
  
  
      }   
 
 

The principle is to dynamically load js through the dynamic create js include, and then determine the onreadystatechange for the bind onload event of the script node or. For details, refer to the processing of the above scriptOnload function. After the js load is complete, use the callback method to execute the success function.

For further confirmation, the $. getScript of Jquery is used to test a test. First, log on to taobao.com and write a test page locally. Run the following statement:

 
 

  
  
$.getScript('http://www.taobao.com/go/app/tmall/login-api.php?0.6783450077710154', function(){    
  
  
    console.log("the taobao.com cookie object:" + userCookie + " username:" + userCookie._nk_);    
  
  
});   
 
 

Firbug result:

In fact, the general principle is that, by providing a php request address on the server side of www.taobao.com to obtain all the cookies in the current domain, the php will get the cookie and generate the js Code, that is, the second one shown above. Then, the jsonp method is used to load the js Code in tmall to implement cross-origin access to cookies.

Link: http://www.iteye.com/topic/1000776