Share a cookie between two websites

2020-01-25 07:05发布

站内问答 / 移动开发
1797 7 5

I have built a website (A) which logs in to and retrieves customer data from a separate web service.

The organisation that owns (A) also has a website (B) which has a web form. They want a logged in customer on (A) to be able to click across to (B) and see a pre-populated form with their details.

This means (A) must write their customer ID to a cookie, which (B) can read, and then (B) can request the data from the web service, and pre-populate the form.

This raises two questions:

  1. Can website (B) read the cookie for website (A)?

  2. If so, to prevent someone from editing a cookie and seeing other people's data in the form, I would need to do something like encrypt the cookie on (A) and then have that decrypted in (B) - any suggestions along this line?

I can't change the existing login to OAuth or something, as the web service is consumed by several other sites, so this cannot change.

标签: http cookies
举报
7条回答
成全新的幸福
2楼-- · 2020-01-25 07:19

No. Website B can't read a cookie from website A.

The easiest work-around is to pass login/credential information from website A to website B and have website B set a seperate cookie. For example, after logging into website A you could have them quickly redirected to website B with an encrypted querystring. Website B could then read the information, set its own cookie, and redirect the user back to site A.

It's messy but possible.

查看更多
0人赞 添加讨论(0) 举报
该账号已被封号
3楼-- · 2020-01-25 07:24

If in your case all your users use browsers with HTML5 support you can use window.postMessage method that allows to addEventListener on one side and to postMessage from the other. Here is a nice article/example: https://developer.mozilla.org/en-US/docs/Web/API/window.postMessage.

Then the steps are simple:

  1. add to site A a hidden iframe to site B
  2. send B's cookie to A using window.postMessage
  3. store the received cookie in A's cookie
查看更多
0人赞 添加讨论(0) 举报
疯言疯语
4楼-- · 2020-01-25 07:26

You mentioned the same company owns both sites. As you suspected, if the sites have the same domain like www.mycompany.com and store.mycompany.com, then they can share cookies. The HTTP response header would look something like this:

Set-Cookie: user_id=1295214458; Path=/; Domain=.mycompany.com

Since the client has direct access to this data, you should also include a signature so tampering would be detected. Usually the whole thing is encrypted and signed into a "token", and that is set as the cookie. But technically, just the signature is required.

查看更多
0人赞 添加讨论(0) 举报
爱情/是我丢掉的垃圾
5楼-- · 2020-01-25 07:31

Potential work-around: You could use an inline frame on the secondary site to show content from the primary site (taking up the full window):

<!DOCTYPE HTML>
<html>  
  <head>  
       <title>your page title</title>  
        <style type="text/css">
            body, html {
            margin: 0; padding: 0; height: 100%; overflow: hidden;
            }
            #content {
            position:absolute; left: 0; right: 0; bottom: 0; top: 0px; 
            }
        </style>
  </head>  
  <body>
    <div id="content">
    <iframe width="100%" height="100%" frameborder="0" src="http://yourMainSite.com/dataDependentPage.php" ></iframe>
    TESTING
    </div>
  </body>  
 </html>
查看更多
0人赞 添加讨论(0) 举报
我想做一个坏孩纸
6楼-- · 2020-01-25 07:32

Cookies are only accessible to a single domain that they are set to.

I believe if you are using two sub-domains on the same domain it would be possible to share the cookies, however the browser doesn't send cookies set on one domain to any others.

Edit: You also want to avoid storing large amounts of data in a cookie. Is there perhaps the chance you could create an api that site B could query with javascript?

查看更多
0人赞 添加讨论(0) 举报
兄弟一词,经得起流年.
7楼-- · 2020-01-25 07:33

HttpCookie.Domain Property might help.

Excerpt:

MyCookie.Domain = domainName;
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)