To implement Cross-domain access cookies by setting the P3P header

Reprint: http://blog.c114.net/html/38/193738-35549.html

Passport on the one hand means that an account can be used in different services to log in, on the other hand, in a service inside the login can be free to roam to other services inside. Frankly, at present Sohu Passport is very bad at this point (but my job is to do it well, hehe)

Sohu's SSO demand is more troublesome, because it has a lot of domain name: sohu.com, chinaren.com, sogou.com, focus.cn, 17173.com, go2map.com, the main obstacle to log in user roaming also comes from this.

Before the e-mail system and other systems integration is to provide a URL, users from the Third-party system to click on this link can generate access to the mail interface required cookies, and then enter the mail. This approach does work, but the question is:
1. Each external link must use the special URL to jump, the maintenance is very troublesome
2. Two system integration is already a hassle, and if there are several integrated systems, it's a nightmare that each of you needs to jump and lack a central mechanism.
3. It is impossible to handle the user's access directly to the address bar by entering the address

Even across domains, the solution above is relatively easy.
A. First, all logins must be authenticated first through a central server, and then the browser is given a cookie (called the SSO cookie below)
B. When a user accesses another domain name app, the browser cannot send the SSO cookie directly to the server for authentication. In this case, you should use JavaScript to dynamically create a hidden iframe to access the SSO
C. This iframe. Request that the SSO cookie be sent to the SSO server. After the SSO server verifies the cookie, it returns a redirected page to a URL of the app that sets the app cookie
D. The visible page container in the browser can actually interact with the redirected content. For example, you can use JS control to find the redirected page after the successful return, refresh the entire page, so that it looks like the user logged in after the visit is no different.

Here's the real trick: how to set cookies across domains in IE
The above technology does not look very good. However, it is provided that all logins are posted to the SSO server, and the authentication is successful before returning to the app page. But one of the requirements I received was to support a page without a refresh login.

Ha. This means that the action that originally submitted the login form on the chinaren.com should be passport.sohu.com this SSO server. But in the AJAX tide, Chinaren plan to use XMLHttpRequest submit, this is troublesome, because it is not cross-domain to submit.

Then the solution is to generate cookies across the domain, that is, JS found the password verification successful, and then on the passport.sohu.com to plant a valid cookie.

The solution to the above Cross-domain read cookie seems simple to infer: to create an implied iframe, to let that iframe. To invoke the passport.sohu.com URL to generate cookies. Unfortunately, this method works well under Fx, but it cannot be applied on IE. (Display cookie Privacy warning on IE status bar, red round bottom white bar)

I tried a lot of ways, including the creation, node, including the JS settings, but have been relentlessly blocked by IE in the browser outside. Google, there is no really available answers, the Chinese web page is either the wrong way to introduce, or say no solution.

Finally, with the help of a Chinaren buddy, the way they used to interact with alumni.sohu.com (not knowing which cow found it), just set the P3P HTTP Header, in the implied IFRAME. It can be successful if you set the cookie across the domain. The content they use is:

p3p:cp= "Cura ADMa DEVa Psao psdo our bus UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Finally, I did a little demo: How cookies interact between vmx.cn and Dup2.net

1. http://qiuyingbo.test.vmx.cn/cookie.php

2. Whatever input, click Reset Cookie, you can see the vmx.cn cookie has been set up

3. Connect to http://www.dup2.net/vmx/cookie.html at this page point

4. Point "Get Corss-domain cookie". (At this point JS will go to create an IFRAME, request qiuyingbo.test.vmx.cn, return the page to the cookie value as a get parameter redirect back to the dup2.net of another URL.) ）

5. Dot "Display Corss-domain cookie". You can see the vmx.cn cookie.

6. Enter a different value in the input box for the page, and then point to "set Cross-domain cookie", which will actively set the vmx.cn cookie

7. Point link back to http://qiuyingbo.test.vmx.cn/cookie.php, you can see the new value of the

Author: Lao Wang

Read an article on the internet, said that the use of P3P can complete a cross-domain cookie operation, feeling very cool, but did not provide the source code, I randomly wrote a bit, we look.

In actual work, like this kind of request many, for example, we have two domain names, we want to realize in a domain name login, can automatically complete another domain name login, that is, the function of Passport.

I only write a probably, in order to test the convenience, first edits the hosts file, joins the test domain name (C:\WINDOWS\system32\drivers\etc\hosts)

127.0.0.1 www.a.com
127.0.0.1 www.b.com

First: Create the a_setcookie.php file, which reads as follows:

<?php
Header (' p3p:cp= "cura ADMa DEVa Psao psdo We bus UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"];

Setcookie ("Test", $_get[' id '), Time () +3600, "/", ". A.com");
?>

Then: Create the a_getcookie.php file, which reads as follows:

<?php
Var_dump ($_cookie);
?>

Finally: Create the b_setcookie.php file, which reads as follows:

<script src= "http://www.a.com/a_setcookie.php?id=www.b.com" ></script>

－－－－－－－－－－－－－－－－－－－－－－－－－－－－

After three files have been created, we access them through the browser:

http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php

We will find that when we visit the B.Com domain, we do not set the cookie value on the a.com domain.

Then we modify the a_setcookie.php file, remove the annotation symbol, a_setcookie.php namely:

<?php
Header (' p3p:cp= "cura ADMa DEVa Psao psdo We bus UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"];

Setcookie ("Test", $_get[' id '), time () +3600, "/", ". a.com");
?>

Access again through the browser:

http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php

This time, you will find that when you visit the B.Com domain, we set the cookie value for the a.com domain.

Finally, it seems that only IE for cross-domain access cookie restrictions are more stringent, the above code under the Firefox test, even if not send P3P header information, can also be successful. But IE is the boss.