通过设置P3P头来实现跨域访问COOKIE
2007年01月25日 星期四 下午 4:39

欢迎访问火丁笔记:http://huoding.com/

火丁的订阅地址:http://huoding.com/feed

作者:老王

网上看了别人介绍的一片文章,说使用P3P可以完成跨域COOKIE操作,感觉很COOL,不过没有提供源代码,我胡乱写了一下,大家看看。

实际工作中,类似这样的要求很多,比如说,我们有两个域名,我们想实现在一个域名登录后,能自动完成另一个域名的登录,也就是PASSPORT的功能。

我只写一个大概,为了测试的方便,先编辑hosts文件,加入测试域名(C:\WINDOWS\system32\drivers\etc\hosts)

127.0.0.1 www.a.com

127.0.0.1 www.b.com

首先:创建 a_setcookie.php 文件,内容如下:

<?php

//header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');

setcookie("test", $_GET['id'], time()+3600, "/", ".a.com");

?>

然后:创建 a_getcookie.php 文件,内容如下:

<?php

var_dump($_COOKIE);

?>

最后:创建 b_setcookie.php 文件,内容如下:

<script src="http://t.zoukankan.com/http://www.a.com/a_setcookie.php?id=www.b.com"></script>

----------------------------

三个文件创建完毕后,我们通过浏览器依次访问:

http://www.b.com/b_setcookie.php

http://www.a.com/a_getcookie.php

我们会发现,在访问b.com域的时候,我们并没有在a.com域设置上cookie值。

然后我们修改一下a_setcookie.php文件,去掉注释符号,a_setcookie.php即为:

<?php

header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');

setcookie("test", $_GET['id'], time()+3600, "/", ".a.com");

?>

再次通过浏览器依次访问:

http://www.b.com/b_setcookie.php

http://www.a.com/a_getcookie.php

这次,你会发现在访问b.com域的时候,我们设置了a.com域的cookie值。

末了补充一句,似乎只有IE对跨域访问COOKIE限制比较严格,上述代码在FIREFOX下测试,即使不发送P3P头信息,也能成功。

==========================================

通过Fiddler可以方便的知道上面P3P代码的含义

P3P Header is present:

CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.

CURa

Information is used to complete the activity for which it was provided.

ADMa

Information may be used for the technical support of the Web site and its computer system.

DEVa

Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.

PSAo

Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.

PSDo

Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.

OUR

We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

BUS

Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.

UNI

Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.

PUR

Information actively generated by the purchase of a product or service, including information about the method of payment.

INT

Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.

DEM

Data about an individual's characteristics -- such as gender, age, and income.

STA

Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.

PRE

Data about an individual's likes and dislikes -- such as favorite color or musical tastes.

COM

Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.

NAV

Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.

OTC

Other types of data not captured by the above definitions.

NOI

Web Site does not collected identified data.

DSP

The privacy policy contains DISPUTES elements.

COR

Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

Validate at: http://www.w3.org/P3P/validator.html

Learn more at: http://www.fiddlertool.com/redir/?id=p3pinfo

文章说的主要是跨域设置COOKIE的情况,如果是跨域读取COOKIE的情况,只要保证在对应设置COOKIE的时候设置P3P即可,否则在读取的事情IE会屏蔽跨域COOKIE。在Internet Explorer Cookie Internals (FAQ)一文里对这个情况有描述。

参考文档:http://www.w3.org/P3P/

发表回复