Cookie cross-Origin

Cookie cross-Origin

Cookie is a great invention that allows Web developers to retain the login status of their users. However, when your website has more than one domain name, the problem may occur. In terms of Cookie specification, a cookie can only be used for one domain name and cannot be sent to other domain names. Therefore, if a cookie is set for a domain name in the browser, the cookie will be invalid for other domain names. If you want your users to log on from one of your sites, you can also log on to other domain names, which is really a big challenge.

Cross-second-level domain name

We know that cookies can be accessed across second-level domain names. This is easy to understand. For example, you have created a cookie in a web application on www.test1.com, to access the application corresponding to a second-level domain name such as bbs.test1.com, you must set the domain parameter domain = test1.com when creating the cookie. The following code uses asp.net as an example:

1234	HttpCookie cookie = new HttpCookie("name", "www.Admin10000.com");cookie.Domain = "test1.com";cookie.Path = "/";Response.Cookies.Add(cookie);

Cross-top-level domain name

If I am not a second-level domain name, but completely in different top-level domain names, for example, the web application where www.test1.com is located creates a cookie and wants to access it in www.test2.com or its second-level domain name application, what should I do? We know that conventional anti-methods cannot be accessed. The key is to see if there is any way to access them. In fact, Cookie can be cross-origin under certain conditions, rather than implementing cross-origin at will.

Let's take a test to see how the two sites www.test1.com and www.test2.com implement cross-origin cookie Access. Generally, we need two top-level domain names and a DNS server to configure the domain name. Otherwise, we cannot verify the domain name, but we do not need to worry about it here, we can simulate it by modifying the hosts file. There is a hosts file in c: \ windows \ system32 \ drivers \ etc, and add

127.0.0.1    www.test1.com127.0.0.1    www.test2.com 

You can use the above domain name to access the local loopback address. We only need to deploy a set of programs on IIS. The ip address is the local loopback address, which can be accessed separately with two domain names.

We create three new pages: Default. aspx, SSO. ashx, and GetCookie. aspx.

Here, Default. aspx is the webpage www.test1.com, And the access address is http://www.test1.com/default.aspx. Check the front-end code. It does not have any background code.

12345678910111213141516171819202122

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="Admin10000.Web.Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head runat="server">    <title></title></head><body>    <form id="form1" runat="server">    <div>         <script type="text/javascript">            var _frm = document.createElement("iframe");            _frm.style.display = "none";            _frm.src = "http://www.test2.com/SSO.ashx";            document.body.appendChild(_frm);           </script>     </div>    </form></body></html>

The other is the SSO. ashx page. We think it is the page www.test2.com, and there is no code in the foreground. The background code is as follows:

123456789101112131415161718192021222324252627282930313233343536373839

using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Web.Services;using System.Web.SessionState; namespace Admin10000.Web{    /// <summary>    /// $ Codebehindclassname $ abstract description    /// </summary>    [WebService(Namespace = "http://tempuri.org/")]    [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]    public class SSO : IHttpHandler    {         public void ProcessRequest(HttpContext context)        {            HttpCookie cookie = new HttpCookie("name", "www.Admin10000.com");            cookie.Domain = "test2.com";            cookie.Path = "/";            cookie.Expires = DateTime.Now.AddMinutes(10000);            context.Response.Cookies.Add(cookie);             context.Response.ContentType = "text/plain";            context.Response.AddHeader("P3P", "CP=CAO PSA OUR");            context.Response.Write("");        }         public bool IsReusable        {            get            {                return false;            }        }    }}

Finally, it is the GetCookie. aspx page, which is also a page under www.test2.com. There is no front-end Code, only the back-end code:

1234567891011121314151617181920

using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Web.UI;using System.Web.UI.WebControls; namespace Admin10000.Web{    public partial class GetCookie : System.Web.UI.Page    {        protected void Page_Load(object sender, EventArgs e)        {            if (Request.Cookies["name"] != null)            {                Response.Write(Request.Cookies["name"].Value);            }        }    }}

Well, now we access the test, after accessing the http://www.test1.com/Default.aspx, it will load the page that calls SSO. ashx through iframe, execute the background code to create a cookie, and then access the http://www.test2.com/GetCookie.aspx we get the corresponding cookie. It indicates that the cookie created under www.test1.com can be accessed under www.test2.com.

Note:

In the background code of the SSO. ashx prompt displayed at admin).com, context. Response. AddHeader ("P3P", "CP = cao psa our") is used to set the P3P Response header. The reason is that the P3P supported by IE causes the cookie to be blocked when iframe is cross-site and the cookie cannot be created. (FireFox does not currently support the P3P security feature, and FireFox does not. You do not need to add the P3P response header .)

Use the src attribute of iframe to redirect the cookie value in the test1.com domain to the SSO in the test2.com domain as the get parameter. on the ashx page, SSO. ashx obtains the cookie value passed in the test1.com domain and writes the obtained cookie value to the cookie. In this way, cross-domain access of the cookie is implemented.

In addition, the Default. aspx page can also be changed to the JS call form:

12345678910111213141516

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="Admin10000.Web.Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" ><head runat="server">    <title></title></head><body>    <form id="form1" runat="server">    <div>        <script type="text/javascript" src="http://www.test2.com/SSO.ashx"></script>    </div>    </form></body></html>