How to share session among Multiple Domains on sin

2019-01-28 16:37发布

问题:

I want to share session cookie among domains.

I have more than one domain: -

1. mydomain.com
2. mydomain.fr
3. mydomain.de
4. mydomain.da
...and many other language based

Now, I have single website deployed on a server. I want to share session among the different domains on the single website. How do I achieve this?

I found on web <httpCookies domain=".mydomain.com" /> but it work with sub domains (like test.mydomain.com and secure.mydomain.com) but not for the different domains.

I also tried <httpCookies domain=".mydomain." /> but by this session stopped working.

Could anyone help me please?

回答1:

You can't share cookies on domains that have different top level domain name.

This is only possible to do with subdomains.

mydomain.com
fr.mydomain.com
de.mydomain.com
da.mydomain.com
...


回答2:

You cannot share a cookie between different domain directly. But there is one way to make it possible at some context. You can make JSONP request or loading an iframe in your JS. if you use iframe make a http POST call using form. Form tag has your another domain name as action and iframe name as a target. What form will do is it will load an ifram and the cookie of your different domain will come in your browser.

Code:

<iframe name="iframe-test" border="1px"></iframe>

<form id="iframe-form" target="iframe-test" action="http://differentdomain.com/setCookie" method="POST">
     <input type="hidden" value="1234" name="token">
   </form>

    <script type="text/javascript">
        function submitForm(){          
            var form = document.getElementById("iframe-form");
            form.submit();              
        }
    </script>


回答3:

As Oded states you cannot share cookies across different top level domains. Therefore you may need to look into a different method of persisting sessions.

Swapping the Session State provider as danyolgiax proposes will not solve your issue as the session identification is still happening with cookies. Therefore you need to look into an approach such as cookieless sessions:

Cookieles sessions

Then you may choose to store the data in a Database or InProc session on server. Once you've removed the dependency on cookies.

Edit

Additionally then, if you some clientside activity using a non-auth cookie that absolutely requires the cookies to be present you would write them from each different domain based on these server/session stored values. So a user switching domains eventually gets your cookie for each domain.



回答4:

If you are using SQL Server, I think you can use it as session state provider.

in web.config:

<sessionState 
        mode="SQLServer"
        sqlConnectionString="data source=127.0.0.1;user id=<username>;password=<strongpassword>"
        cookieless="false" 
        timeout="20" 
/>

Here some doc:

http://msdn.microsoft.com/en-us/library/ms178581.aspx