asp.net questions about Cookie cross domain (domain name)
- 2020-05-19 04:30:01
- OfStack
Across level 2 domains
We know that cookie can be accessed across level 2 domains, which is easy to understand. For example, if you have www.test1.com created an cookie in your web application, you must set the domain parameter domain= test1.com when you create cookie, bbs.test1.com in your web application. Take asp.net as an example, the code is as follows:
HttpCookie cookie = new HttpCookie("name", "www.Admin10000.com");
cookie.Domain = "test1.com";
cookie.Path = "/";
Response.Cookies.Add(cookie);
Cross-top-level domain
What if instead of a level 2 domain name, I created an cookie in the web application where www.test1.com is located and wanted to access it in the www.test2.com or its level 2 domain name application? We know that we can't access it by normal methods, but the key is to see if there is a way to access it. The fact is that Cookie can be implemented across domains in 1-bound conditions, rather than at will.
Let's do a test to see how two sites, www.test1.com and www.test2.com, implement cookie cross-domain access. As a rule, we need to have two top-level domains and DNS server to configure the domain name, otherwise we cannot verify it. However, we don't need to be so troublesome here, we can simulate it by modifying hosts file. hosts file in c:\windows\ system \drivers\etc, add at the end
127.0.0.1 www.test1.com
127.0.0.1 www.test2.com
In two lines, you can access the local address with the domain name above. We only need to deploy a set of programs on IIS, ip is the native loopback address, and we can use two domain names to access it separately.
We create three new pages, Default.aspx, SSO.ashx, GetCookie.aspx.
Including Default aspx is www. test1. com page, access address is http: / / www test1. com/Default aspx. If you look at the foreground code, it doesn't have any background code
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="Admin10000.Web.Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<script type="text/javascript">
var _frm = document.createElement("iframe");
_frm.style.display = "none";
_frm.src = "http://www.test2.com/SSO.ashx";
document.body.appendChild(_frm);
</script>
</div>
</form>
</body>
</html>
The other one is the SSO.ashx page, which we think is the www.test2.com page. There is no code in the foreground, but the background code is as follows:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Web.SessionState;
namespace Admin10000.Web
{
/// <summary>
/// $codebehindclassname$ Summary of
/// </summary>
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
public class SSO : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
HttpCookie cookie = new HttpCookie("name", "www.Admin10000.com");
cookie.Domain = "test2.com";
cookie.Path = "/";
cookie.Expires = DateTime.Now.AddMinutes(10000);
context.Response.Cookies.Add(cookie);
context.Response.ContentType = "text/plain";
context.Response.AddHeader("P3P", "CP=CAO PSA OUR");
context.Response.Write("");
}
public bool IsReusable
{
get
{
return false;
}
}
}
}
Finally, the GetCookie.aspx page, which is also the page under www.test2.com, has no foreground code, only the background code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace Admin10000.Web
{
public partial class GetCookie : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (Request.Cookies["name"] != null)
{
Response.Write(Request.Cookies["name"].Value);
}
}
}
}
Okay, now we access to the test, by visiting http: / / www test1. com/Default aspx, then will pass iframe load call SSO. ashx this page, create cookie execution code, then visit http: / / www test2. com/GetCookie. We get the corresponding cookie aspx. Note that cookie created under www.test1.com is accessible under www.test2.com.
Points to note:
context. Response. AddHeader("P3P", "CP=CAO PSA OUR"); Is used to set the P3P response header. Because IE browser supports P3P, cookie is prevented from creating cookie when iframe is cross-site. (FireFox does not currently support P3P security features, nor does FireFox. There is no need to add the P3P response header.)
Through the src attribute of iframe, the cookie value under test1.com field is redirected to the get page under test2.com field as the get parameter. SSO.ashx gets the cookie value from test1.com field and writes the obtained value into cookie.
In addition, Default.aspx page can also be changed to JS call form:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="Admin10000.Web.Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<script type="text/javascript" src="http://www.test2.com/SSO.ashx"></script>
</div>
</form>
</body>
</html>