Personal experience on cross-domain cookie recording

Recently, I worked on a problem about cross-domain cookie settings in my team. then I sorted out some knowledge points and searched for information on the Internet. These are some basic knowledge, but a lot of information on the Internet is uneven, and some wrong articles have been transferred many times, so I... recently, I worked on a problem about cross-domain cookie settings in my team. then I sorted out some knowledge points and searched for information on the Internet. These are some basic knowledge, but a lot of information on the Internet is uneven, and some wrong articles have been transferred many times, so I have organized these problems through testing.

First:Whether the setDomain attribute of cookie can be set to a domain name outside the domain where the current application is located. For example, if the Domain name of my current application is www.test1.com, how can I set the cookie Domain to ".test2.com" in the current application? Will the browser accept the cookie returned by the server? If the browser accepts the cookie returned by the server, will the browser bring the previous cookie to www.test2.com next time?

Now I have written two web programs. each web program has a servlet and modifies the host file at the same time. the domain name of the first application is www.test1.com, and the second domain name is www.test2.com. The test process is as follows:

1) first, set the cookie domain to ".test2.com" in the program www.test1.com to access the application. in this case, both IE and Firefox will accept the cookie, in addition, its Domain is clearly .test2.com, which indicates that cookies can be written to the browser, rather than being ignored in many places. However, if you access www.test1.com or www.test2.com again, this cookie will not be taken over. This proves that the cookiede setDomain method cannot be used to set domain names outside the domain where the current application is located. many articles have concluded that the cookie domain is set to www.test2.com in www.test1.com, when you access www.test2.com, you can obtain the cookie from the test2.com application. this is completely irresponsible. this situation is only applicable to the situation where the common root domain name is used. It's impossible to think about it. Otherwise, I can manipulate Baidu or Alibaba's website to read our own cookies?

2) Now we set the domain name www.test1.com as our own. if we use Iframe to embed the www.test2.com application in the webpage of www.test1.com, what is the result?

First, we visited www.test1.com. at this time, the cookies www.test1.com and www.test2.com were written into the browser, both in IE and Firefox. when we visited www.test1.com again, the difference between IE and Firefox is displayed. At this time, IE will only bring the cookie of www.test1.com, instead of the cookie of www.test2.com (that is, the cookie cannot be obtained in www.test2.com ), in addition, when you access www.test2.com again, you will not obtain the cookie that has been explicitly written to the www.test2.com domain name in the browser. In Firefox, the www.test1.com application receives the cookie from www.test1.com, and the cookie under the domain name is obtained from the iframe embedded or directly accessing the www.test2.com application. In this case, the use of the script tag is the same as the use of the cookie. In this case, IE10 has a higher security level.

3) What should we do if we want to use the iframe embedded with www.test2.com to bring the cookie under the test2.com domain name to the www.test2.com service application?

This is very simple. set the head of www.test2.com, for example, response. setHeader to set P3P. There is a lot of online information about the P3P protocol. you can check it by yourself. Note that when we use iframe to embed www.test2.com in www.test1.com, the cookie set for www.test1.com is the first cookie in the general sense, and the cookie for www.test2.com is a third-party cookie, we need to set P3P in the 3rd-party program, which is not described in many documents. In fact, the server of www.test2.com negotiates with the browser to allow the browser to bring cookies to the server. Once this is broken through, combined with the referer header attribute, you can get users' browsing habits and preferences, such as purchasing books and electronic products frequently. For example, if website A is embedded with A page of website B and website B is configured with P3P, the user will access website B by the way when visiting website, at this time, website B generates a random ID, writes the ID to the cookie, and stores the id and referer information in its own database. Next time, no matter whether the csite or other website has B embedded, it will be accessed by the user, or if the user accesses A, it will access website B by the way and store the referer and id in the database, if the user uses the same browser and never cleans up the cookie, the id recorded in the cookie will remain the same, and the cookie of B will be taken every time you access it, website B can know which websites you have logged on to based on the cookie id and the referer that has been stored in the database multiple times. Because the referer link illustrates all problems. In this way, we can track and analyze this person. Just like I put my eyeliner in the 100 store. when you visit each store, they will tell me what you bought. it will take a long time for me to know what you like to buy, I wonder whether this example is accurate.

I 'd like to write it here for the time being. this is also the first in-depth exploration. I 'd like to add it later based on the progress. if there are any errors, please be grateful. In short, this basic knowledge is the cornerstone of the design framework and must be clarified. Otherwise, the food will be difficult and the system will be stabbed in the back.

Tutorial URL:

You are welcome to add your _ favorites to the Favorites folder, but please keep the link for this article.