Cross-Domain session Problems

Cross-origin session problems:

 

Java:

Add the following to the encodingfilter. Java file in servlet:Code:
Httpservletresponse res = (httpservletresponse) sresponse;
Res. setheader ("p3p", "cp = CaO PSA our ");
It's just the strange symbol above. I found it online. It's exhausting.
Thanks to the above brothers.
---
You may not be able to use the HTTP protocol when you are free, but you still need to know the root cause of the problem.
For example, p3p
Http://msdn2.microsoft.com/en-us/library/ms537343.aspx
---
P3p is Microsoft's privacy policy. Generally, cross-domain IFRAME or frameset adopts the "medium" Privacy Policy by default. This level of Policy rejects session reservation. Cao PSA our means that you agree to retain the session across domains, but it also means that your website is no longer secure.

 

ASP:
Response. addheader "p3p", "cp = Cura ADMA Deva psao psdo our bus uni pur int DEM sta pre com nav OTC Noi DSP cor"

 

 

. Net:

1. session loss in IE browser IFRAME

During development, we often use frame to work, and sometimes to integrate with other websites and apply it to multiple domains, IFRAME cannot save sessions, you can find many relatedArticleIf the website can use the configuration in Web. config: mode = "StateServer"
Stateconnectionstring = "TCPIP = 127.0.0.1: 42424"
Sqlconnectionstring = "Data Source = 127.0.0.1; trusted_connection = yes"
Cookieless = "false"
Timeout = "40"
/>
Change cookieless = "false" to "true", but there is also a small problem, that is, if the page uses the Javascript window. location. if href = ''is used for redirection, the system will regard this as another new request and generate a new sessionid, resulting in the same loss of the original session. Therefore, the system still uses response for redirection. redirect () is better

In addition to the ifrmae session loss problem, frameset also has the same problem. The problem of frameset is more uncertain. Sometimes it will be lost and sometimes it will not be lost, which is a headache, I found a method on the Internet and added a statement to page_onload:
Response. addheader ("p3p", "cp = CaO PSA our ");
The session loss problem in frameset solves the problem. As for the specific reasons, there is no time to understand it.

The simplest way is to set it in IIS.

 

Solution

Response. addheader ("p3p", "cp = CaO PSA our ").

But do we need to add this to every page?

Not Required

If you have the right to configure the IIS server

Open IIS

Management tool --> select a website --> properties --> HTTP header, add an HTTP Header
Enter the header name: p3p
Input header content: Cp = CaO PSA our

If you do not have permission to configure the IIS server, but you are using Asp.net

You can use httpmodual to implement the logo required for inserting all or some page headers.

A directory on this site is implemented in this way.

 

2. Use p3p header to solve IFRAME cross-origin access cookie

Source: http://blog.csdn.net/wonder4/archive/2008/02/27/2125804.aspx

Currently, when integrating several applications, I encountered the problem that IFRAME could not obtain the cookie (Session). After Google, I finally solved the problem. Now I want to record it.
This is my requirement.
One application was developed using. net. It mainly controls user logon and user access permissions, and is deployed in the Shanghai data center. Call application a now.
Another application is developed in Java, mainly for specific business operations. Deployed in the Beijing data center. Here is application B.
Because there is already an application for user management and permissionsProgramTherefore, the B application developed by Java does not have the function of developing user permissions and wants to directly use the. NET a program.

The user access process is as follows:
1. log on to a first. A sets its own cookie and has a link to B's application in the menu of.
2. When a user clicks the link to B's application, a automatically adds the user's token to the link and passes it to B's system.
3. after system B receives the request, it sets the user's token information to the cookie of its own system (system B has a form post operation. If there is no cookie, session, therefore, each request, whether get or post, must explicitly carry the user's token information. The system has a large amount of changes, and the verification method for changing permissions will also be relatively large in the future .)
4. in system B, no tokens are provided for each operation. Therefore, the cookie is used to obtain the token information, and an HTTP request is sent to system, allow System A to verify whether the user has access permissions.
5. If system A's interface returns an accessible status report, system B continues to execute the report. If system a instructs that there is no access permission, system B prompts a controlled access warning message.

All development is complete. When the integration goes online, I find that this process cannot be implemented, and I have to think about it for a long time and I don't know what's going on. Google has spent a long time, it turns out that IE is a zombie, and IE does not allow cross-origin access to cookies (as if Firefox is okay, ie has switched to the W3C p3p protocol since 6.0). Let's look at my application, for the cookie set in step 2, ie drops the cookie blocked of application B for all access requests of application B after Step 3 (because the user's access is initiated from application, from application a's access to application B's stuff, cross-origin access is considered as a security issue by IE ).... (There is a red-eye button in the IE status bar. Click it to see which cookies have been dropped by blocked)

It's easy to understand the cause, and Google knows that you can use the p3p header to solve the problem!
The following is one of the solutions of Java, which is also my solution, but the method is not very good:
Add a p3p header to the response.
Response (). addheader ("p3p", "cp = \" idc dsp cor Cura ADMA our ind PHY onl com sta \"");

CP = "xxx xxxx" has specific meanings:
CP is the meaning of Compact into ies,
In addition, the header value can also be policyref = "http: // myhost/p3p/policyreferences. xml", which is to specify a policy file.

For details, see here.

The following is the specific range and meaning of the value of the extracted compact policies.
Compact policies
Compact policies ies are essentially summaries of p3p limits ies. They can be used by user agents to quickly get approximate information about p3p limit ies, therefore improving performance.

For an in-depth explanation of compact protocols ies, we refer to the p3p1.0 [4] specification. Here, we limit to stating the Syntax:

Compact-policy-field = 'cp = "'compact-policy '"'

Compact-policy = compact-token * ("" Compact-token)

Compact-Token = compact-access |

Compact-disputes |

Compact-remedies |

Compact-non-identifiable |

Compact-purpose |

Compact-recipient |

Compact-retention |

Compact-categories |

Compact-test compact-access = "noi" | "all" | "Cao" | "IDC" | "Oti" | "Non"

Compact-disputes = "DSP"

Compact-remedies = "Cor" | "mon" | "law"

Compact-non-identifiable = "NID"

Compact-purpose = "cur" | "ADM" [creq] | "Dev" [creq] | "Tai" [creq] |

"PSA" [creq] | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] |

"Con" [creq] | "his" [creq] | "tel" [creq] | "OTP" [creq]

Creq = "A" | "I" | "O"

Compact-recipient = "our" | "Del" [creq] | "Sam" [creq] | "unr" [creq] |

"Pub" [creq] | "OTR" [creq]

Compact-retention = "nor" | "STP" | "Leg" | "bus" | "IND"

Compact-Category = "phy" | "onl" | "uni" | "pur" | "fin" | "com" |

"Nav" | "int" | "dem" | "CNT" | "sta" | "pol" |

"Hea" | "pre" | "Loc" | "Gov" | "OTC"

Compact-test = "TST"

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/wonder4/archive/2008/02/27/2125804.aspx

"TST" also has a p3p verification tool: http://www.w3.org/p3p/validator.html, which can verify the p3p0000.pdf set by the verification tool. There is also a good blog written by a foreigner. You can also refer to it. Http://www.sitepoint.com/article/p3p-cookies-ie6/2