Cookie same domain, cross-domain single sign-on

Cookie same-domain Single sign-on

Recently in a single sign-on system integration project, we used controls to implement single sign-on (we can introduce later). But now in order to meet customer demand, without the use of controls to achieve single sign-on, first to introduce a single sign-on.

Single Sign-on: A number of different systems are integrated into a unified loading platform, and users can access all systems on this unified load after logging in on any one system. After logging in, the user's permissions and information is no longer limited by a system, even if a system fails (including the unified loading platform), other systems can be used normally. This requires information such as user rights to be saved to the client, not restricted by the server.

In the cookie-related documentation information, it is mentioned that cookies cannot be accessed across domains, but cookies can be shared in level two domain names. This is the limitations of our project, we must unify the domain name of multiple systems, as a level two domain name, unified platform to provide the use of the primary domain name. This allows the single sign-on of the cookie to be implemented.

Introduce a cookie here:

1.cookie is a string property stored on the client, which can be used to read, write, and add to the cookie of the current Web page. The cookie can be manipulated using the cookie attribute of the Document object;

Four optional properties for 2.cookie:

2.1 The Lifetime attribute of the cookie: expires; By default, cookies exist only during the browser session. Exit the browser is lost, you can set the time with the expires, after exiting the browser will not lose the coexistence of the client browser cookie file; Cookies expire after a period of time and the cookie file is automatically deleted.

2.2 Path property: By default, files can be called in the same directory;

For example: The cookie set by http://hanj.com/c1/1.html can be called by http://hanj.com/c1/2.html. But cannot be called by a file in the http://hanj.com/c2/directory;

However, if you set the Path property to "/", then all files under http://hanj.com/can call this cookie.

2.3 Domain Properties: For example, set to ". Hanj.com" can invoke cookies under all servers under. hanj.com.

2.4 Security Properties: False By default, unsecured transmission with HTTP protocol, true: secure transmission with protocols such as HTTPS.

Limitations of 3.cookie:

The browser holds up to 300 cookies, and a maximum of 20 cookies for a single Web server, and no more than 4,000 bytes per cookie.

Single Sign-on implementation environment:

Unified platform Domain name: www.hanj.com

subsystem 1:a.hanj.com

subsystem 2:b.hanj.com

subsystem 3:c.hanj.com

Unified loading platform and subsystems are different servers, unified loading platform to provide login authentication services, on the unified loading platform authentication system login, users can be recognized by other systems.

/**

Function Name: GetCookie

function function: Gets the value of the cookie of the specified name

Input parameters: The string to be tested

Return parameters:

*/

function Getssocookie ()

{

var arrstr = Document.cookie.split (";");

for (var i = 0;i < Arrstr.length;i + +) {

var temp = arrstr[i].split ("=");

if (temp[0] = = "SSO") {

Return unescape (temp[1]);

}

}

Return "";

}

/**

Function Name: Addcookie

function function: Add a cookie

Input parameters: The string to be tested

Return parameters:

*/

function Addssocookie (objvalue)

{

var str = "SSO" + "=" + Escape (ObjValue);

if (true) {//Is 0 without setting the expiration time, the cookie disappears automatically when the browser shuts down

str + = "; path=/";

}

Document.cookie = str;

}

/**

Function Name: Delcookie

function function: Delete cookie

Input parameters: The string to be tested

Return parameters:

*/

function Delcookie ()

{//In order to delete a cookie of the specified name, you can set its expiration time to a past time

var date = new Date ();

Date.settime (Date.gettime ()-10000);

Document.cookie = "SSO" + "=A; Expires= "+ date.togmtstring () +"; path=/";

}

Users in the unified loading platform certification system certification, the use of Addssocookie, user rights information saved to the cookie, the other platform by calling Getssocookie, to obtain user information. This way users can no longer be restricted by the platform, and realize the free access to each system.

In the Addssocookie method, the expiration time of the cookie is not set, so that the cookie disappears automatically when the browser is closed. Note: This cookie is valid only in the same browser process, if you reopen a browser process, cookie information is not available, that is, single sign-on only in the same browser process. If you want to share cookie information without a browser process, set the expiration time as follows:

function Addcookie (objvalue,objhours) {//Add cookie

var str = "SSO" + "=" + Escape (ObjValue);

if (objhours > 0) {//= 0 does not set expiration time, the cookie disappears automatically when the browser shuts down

var date = new Date ();

var ms = objhours*3600*1000;

Date.settime (Date.gettime () + ms);

str + = "; Expires= "+ date.togmtstring () +"; path=/; Domain=.hanj.com ";

}

Document.cookie = str;

}

This allows the cookie to expire after a specified time. However, this security is not guaranteed, if the time setting is too short, the user in use, the cookie may be invalid, need to re-login. If the time is too long, the user is on the next visit, or the computer is re-accessed, the cookie is still in the validity period and may be used by other people. Cookies cannot be deleted accurately and there is a security risk.

Cookie cross-domain single sign-on
In order to quickly and easily implement this function, the first thought is to operate the cookie through JS and let two different domains of cookies can access each other, so that the above results can be achieved, the implementation process can be roughly divided into the following two steps:

1, after the successful login in a system, the use of JS dynamic creation of a hidden iframe, through the SRC attribute of the IFRAME, the cookie value under a domain as
The get parameter is redirected to the B system under the B.aspx page;

var _frm = document.createelement ("iframe");
_frm.style.display= "None";
_frm.src= "Http://b.com/b.jsp?test_cookie=xxxxx";
Document.body.appendChild (_FRM);


2, in the b.aspx page of the B system to obtain the value of the cookie passed in a system, and to write the value of the cookie, so that the simple implementation of the cookie cross-domain access; there is one problem to be aware of, that is, in IE, the operation does not succeed, Need to set the P3P HTTP header in the B.aspx page can be resolved (detailed information can refer to: http://www.w3.org/P3P/), P3P setup code is:
/*
* Tags can also be added in HTML
<meta http-equiv= "P3P" content= ' cp= "IDC DSP COR CURa ADMa our IND PHY ONL COM STA" ' >
*/
Response.appendheader ("P3P", "cp= ' IDC DSP COR CURa ADMa our IND PHY ONL COM STA ');

Cookie same domain, cross-domain Single sign-on (GO)