Cookies shared across domains cookies shared by secondary domain names

Time:2019-12-3

background

Recently in SSO single sign on, the backend needs to send the token and user information to the front-end in the form of cookie after SSO login is successful. Because the project is separated from the front-end and the back-end, this involvesFront and back end cross domain cookie sharingNext, I will talk about my solution in the project.


Solution 1: share cookies through secondary domain names

At first, I saw a lot of cross domain cookie sharing methods on the Internet, most of which are jsonp and CORS. Today, I’m going to introduce another one – sharing cookies based on secondary domain names, because it’s simple(Be carefulThere is a restriction on the use of secondary domain names to share cookiesThe secondary domain names of two domain names must be the same)

Two level domain name
Let’s first introduce what is a secondary domain name. Take www.baidu.com as an example. Com is the primary domain name of this domain name, baidu.com is the secondary domain name of this domain name, www.baidu.com is the tertiary domain name of this domain name, and so on
Second level domain name sharing means that the second level domain names of two domain names must be the same, and the cookies between them can only be shared if they meet this condition. (for example: a.xxx.test.io and b.test.io, the secondary domain names of these two domains are the same)

Code implementation (based on JDK1.8)

//Add cookie cookie cookie name
    Cookie cookieName = new Cookie("user_name", userName);
    Cookie name. Setdomain ("test. IO"); // share cookie through secondary domain name
    cookieName.setPath("/");
    cookieName.setMaxAge(Integer.MAX_VALUE);
    cookieName.setSecure(false);
    response.addCookie(cookieName);

    //Add cookie token
    Cookie token = new Cookie("token", token);
    Token. Setdomain ("test. IO"); // share cookies through secondary domain names
    token.setPath("/");
    token.setMaxAge(Integer.MAX_VALUE);
    token.setSecure(false);
    response.addCookie(token);
    
    //Delete cookies when browser is closed
    Cookie token = new Cookie("token", null);
    token.setDomain("test.io");
    token.setPath("/");
    token.setSecure(false);
    Token.setmaxage (0); // 0 means to close the browser and delete the cookie. If the number is negative, the cookie will be invalid (not deleted)
    response.addCookie(token);

Parameter introduction
Domain: the secondary domain name to be set (at least the secondary domain name, which can be the tertiary domain name, the Quaternary domain name…)
Path: sets the path to which cookies can be accessed. If the path of cookie1 is / test /, and the path of cookie2 is / test / T /, then all pages under the test path can access cookie1, and only pages under / test / T / can access cookie2.
Maxage: expiration time (time unit is seconds), set to a negative number to close the browser. If it is set to 0, it means the cookie is deleted. If it is an integer, it means the cookie is invalid after the set time
Secure: whether to transmit in encrypted mode is false by default. If it is true, only HTTPS protocol can be used (because HTTPS protocol is encryption protocol, but HTTP is not).


Solution 2: set the response header

Direct code

@RequestMapping(value = "/test.do")
public void testHandler(HttpServletRequest request, HttpServletResponse response){
    response.setHeader("Access-Control-Allow-Headers", "X-Requested-With, accept, content-type, xxxx");
    response.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");
    response.setHeader("Access-Control-Allow-Credentials", "true"); 
    response.setHeader("Access-Control-Allow-Origin", "http://localhost:8080");
    Cookie cookieName = new Cookie("user_name", "test");
    cookieName.setPath("/");
    cookieName.setMaxAge(Integer.MAX_VALUE);
    response.addCookie(cookieName);
   
}

Interpretation:
“Access-Control-Allow-Headers”:Optional fields. The getresponseheader() method of the XMLHttpRequest object can only get six basic fields: cache control, content language, content type, expires, last modified, pragma. If you want to get other fields, you must specify them in access control expose headers.
“Access-Control-Allow-Methods”:Optional field that allows you to request the method type of the interface.
“Access-Control-Allow-Credentials”:Optional fields. Its value is a boolean indicating whether cookies are allowed to be sent. By default, cookies are not included in CORS requests. If it is set to true, it means that the server has explicit permission. Cookies can be included in the request and sent to the server together. This value can only be set to true. If the server does not want the browser to send cookies, delete this field.
“Access-Control-Allow-Origin”:Mandatory Field。 Its value is either the value of origin field at the time of request (such as http: / / localhost: 8080 in the example), or a * to accept the request of any domain name.


Solution 3: set @ crossorigin

First look at the code implementation

@CrossOrigin(origins = "http://localhost:8080", maxAge = 3600, methods = {RequestMethod.OPTIONS, RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE})
@RequestMapping(value = "/test.do")
public void testHandler(HttpServletRequest request, HttpServletResponse response){
    
    Cookie cookieName = new Cookie("user_name", "test");
    cookieName.setPath("/");
    cookieName.setMaxAge(Integer.MAX_VALUE);
    response.addCookie(cookieName);
   
}

@Crossorigin annotations are annotated methods that have the ability to accept cross domain requests. By default, it enables methods to accept requests from all domains, all request headers…. In this case, we only accept

Http: / / localhost: a cross domain request sent from 8080.