Cross level two domain name
We know that cookies can be accessed across level two domains, which is well understood, such as the Web application you www.test1.com create a cookie, To access the two-level domain name corresponding to the bbs.test1.com, you must set the domain parameter domain=test1.com when creating cookies. Take asp.net for example code as follows:
Copy Code code as follows:
HttpCookie cookie = new HttpCookie ("name", "www.Admin10000.com");
Cookie. Domain = "test1.com";
Cookie. Path = "/";
RESPONSE.COOKIES.ADD (cookie);
Cross-top domain
What if I am not a level two domain name but are completely in different top-level domain names, such as a cookie created by the Web application where www.test1.com is located, and you want to access it in an application in www.test2.com or its level two domain name? We know that relying on the conventional counter method is not accessible, the key is to see if there is a way to access. The fact is that cookies can be cross-domain across domains under certain conditions, rather than arbitrary implementations.
Let's do a test to see how two sites www.test1.com and www.test2.com implement cookies across domain access. According to the general we need to have 2 top-level domain names, and have a DNS server to be able to configure the domain name, otherwise we are not verifiable, but here we do not need to be so troublesome, we can modify the hosts file to simulate. Hosts file in C:\windows\system32\drivers\etc, add at end
127.0.0.1 www.test1.com
127.0.0.1 www.test2.com
Two lines, you can use the above domain name to access the local loopback address. We only need to deploy a set of programs on IIS, IP for the local loopback address, with two domain name to access the separate.
We created three new pages, namely Default.aspx, Sso.ashx, getcookie.aspx.
Where Default.aspx is the www.test1.com page, the address of the visit is http://www.test1.com/Default.aspx. Look at the foreground code, it doesn't have any background code.
Copy Code code as follows:
<%@ Page language= "C #" autoeventwireup= "true" codebehind= "Default.aspx.cs" inherits= "Admin10000.Web.Default"% >
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">
<title></title>
<body>
<form id= "Form1" runat= "Server" >
<div>
<script type= "Text/javascript" >
var _frm = document.createelement ("iframe");
_frm.style.display = "None";
_FRM.SRC = "Http://www.test2.com/SSO.ashx";
Document.body.appendChild (_FRM);
</script>
</div>
</form>
</body>
Another is the Sso.ashx page, we think it is a www.test2.com page, the front desk does not have any code, the background code is as follows:
Copy Code code as follows:
Using System;
Using System.Collections.Generic;
Using System.Linq;
Using System.Web;
Using System.Web.Services;
Using System.Web.SessionState;
Namespace Admin10000.web
{
<summary>
Summary description of $codebehindclassname $
</summary>
[WebService (Namespace = "http://tempuri.org/")]
[WebServiceBinding (ConformsTo = wsiprofiles.basicprofile1_1)]
public class Sso:ihttphandler
{
public void ProcessRequest (HttpContext context)
{
HttpCookie cookie = new HttpCookie ("name", "www.Admin10000.com");
Cookie. Domain = "test2.com";
Cookie. Path = "/";
Cookie. Expires = DateTime.Now.AddMinutes (10000);
Context. RESPONSE.COOKIES.ADD (cookie);
Context. Response.ContentType = "Text/plain";
Context. Response.AddHeader ("P3P", "Cp=cao PSA our");
Context. Response.Write ("");
}
public bool IsReusable
{
Get
{
return false;
}
}
}
}
Finally is the Getcookie.aspx page, it is also www.test2.com under the page, there is no foreground code, only the background code:
Copy Code code as follows:
Using System;
Using System.Collections.Generic;
Using System.Linq;
Using System.Web;
Using System.Web.UI;
Using System.Web.UI.WebControls;
Namespace Admin10000.web
{
public partial class GetCookie:System.Web.UI.Page
{
protected void Page_Load (object sender, EventArgs e)
{
if (request.cookies["name"]!= null)
{
Response.Write (request.cookies["name"). Value);
}
}
}
}
OK, now that we have access to the test, after accessing http://www.test1.com/Default.aspx, we will call sso.ashx this page through the IFRAME, execute the background code to create the cookie, and then visit the http:// Www.test2.com/GetCookie.aspx we got the appropriate cookie. Note that cookies created under www.test1.com can be accessed under www.test2.com.
The place to note:
admin10000.com hint Sso.ashx's background code has a sentence: context. Response.AddHeader ("P3P", "Cp=cao PSA our"); is used to set the P3P response header. Because of the P3P supported by IE browser, the cookie is blocked when the IFrame is cross site, and the cookie cannot be created. (Firefox does not currently support P3P security features, Firefox naturally does not exist this problem.) You do not need to add a P3P response header. )
Through the SRC attribute of the IFRAME, the cookie value under the Test1.com field is redirected to the Sso.ashx page under the test2.com domain as a get parameter, Sso.ashx gets the cookie value passed in the Test1.com domain and writes the acquired value to the cookie, so It simply implements the cookie Cross-domain access.
Another Default.aspx page can also be changed to JS call form:
Copy Code code as follows:
<%@ Page language= "C #" autoeventwireup= "true" codebehind= "Default.aspx.cs" inherits= "Admin10000.Web.Default"% >
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">
<title></title>
<body>
<form id= "Form1" runat= "Server" >
<div>
<script type= "Text/javascript" src= "Http://www.test2.com/SSO.ashx" ></script>
</div>
</form>
</body>
