Set the P3P header to implement cross-origin access COOKIE

In actual work, there are many requirements like this. For example, we have two domain names. We want to automatically complete the login of another domain name after one domain name login, that is, the PASSPORT function.

I only write a rough one. For the convenience of testing, edit the hosts file and add the test domain name (C: WINDOWSsystem32driversetchosts)

127.0.0.1 www.a.com
127.0.0.1 www. B .com

First, create the_setcookie.php file with the following content:

<? Php
// Header (P3P: CP = "CURa ADMa DEVa PSAo PSDo our bus uni pur int dem sta pre com nav otc noi dsp cor ");

Setcookie ("test", $ _ GET [id], time () + 3600, "/", ".a.com ");
?>

Then, create the_getcookie.php file with the following content:

<? Php
Var_dump ($ _ COOKIE );
?>

Finally, create the B _setcookie.php file with the following content:

<Script src ="Http://www.a.com/a_setcookie.php? Id = www. B .com "> </script>

----------------------------

After the three files are created, you can access them through the browser in sequence:

Http://www. B .com/ B _setcookie.php
Http://www.a.com/a_getcookie.php

We will find that when accessing the B .com domain, we did not set the cookie value in the.com domain.

Then, modify the_setcookie.php file and remove the annotator. a_setcookie.php is:

<? Php
Header (P3P: CP = "CURa ADMa DEVa PSAo PSDo our bus uni pur int dem sta pre com nav otc noi dsp cor ");

Setcookie ("test", $ _ GET [id], time () + 3600, "/", ".a.com ");
?>

Access the service in sequence through the browser again:

Http://www. B .com/ B _setcookie.php
Http://www.a.com/a_getcookie.php

This time, you will find that when accessing the B .com domain, we set the cookie value for the.com domain.

Finally, it seems that only IE has strict restrictions on cross-origin access cookies. The above code is tested in FIREFOX and can be successful even if no P3P header information is sent.

========================================================== =

You can use Fiddler to easily understand the meaning of the above P3P code.

P3P Header is present:
CP = "CURa ADMa DEVa PSAo PSDo our bus uni pur int dem sta pre com nav otc noi dsp cor"

Compact Policy token is present. A trailing o means opt-out, a trailing I means opt-in.

CURa
Information is used to complete the activity for which it was provided.

ADMa
Information may be used for the technical support of the Web site and its computer system.

DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.

PSAo
Information may be used to create or build a record of a particle individual or computer that is tied to a pseudo donymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. this profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.

PSDo
Information may be used to create or build a record of a particle individual or computer that is tied to a pseudo donymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. this profile will be used to determine the habits, interests, or other characteristics of individuals to make a demo-that directly affects that individual, but it will not be used to attempt to identify specific individuals.

OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

BUS
Info is retained under a service providers stated business practices. sites MUST have a retention policy that establishes a destruction time table. the retention policy MUST be encoded in or linked from the sites human-readable privacy policy.

UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.

PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.

INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.

DEM
Data about an individuals characteristics -- such as gender, age, and income.

STA
Mechanic ISMs for maintaining a stateful session with a user or automatically recognizing users who have visited a particle site or accessed particle content previusly -- such as HTTP cookies.

PRE
Data about an individuals likes and dislikes -- such as favorite color or musical tastes.

COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.

NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.

OTC
Other types of data not captured by the above definitions.

NOI
Web Site does not collected identified data.

DSP
The privacy policy contains DISPUTES elements.

COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

Validate at: html "> http://www.w3.org/P3P/validator.html
Learn more: http://www.fiddlertool.com/redir? Id = p3pinfo

 

This article focuses on cross-origin COOKIE settings. in the case of cross-origin COOKIE reading, you only need to ensure that you set P3P when setting the COOKIE, otherwise, Internet Explorer will block cross-origin cookies. This situation is described in Internet Explorer Cookie Internals (FAQ.