以下是測試過程
首先,
編輯hosts文件,加入測試域名(C:/WINDOWS/system32/drivers/etc/hosts)
127.0.0.1 www.a.com
127.0.0.1 www.b.com
首先:創建 a_setcookie.php 文件,內容如下:
<?php
//header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie ( "test" , $_GET [ 'id' ], time ()+ 3600 , "/" , ".a.com" );
?>
然後:創建 a_getcookie.php 文件,內容如下:
<?php
var_dump ( $_COOKIE );
?>
最後:創建 b_setcookie.php 文件,內容如下:
<script src=" http://www.a.com/a_setcookie.php?id=www.b.com"></script >
----------------------------
三個文件創建完畢後,我們通過瀏覽器依次訪問:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
我們會發現,在訪問b.com域的時候,我們並沒有在a.com域設置上cookie值。
然後我們修改一下a_setcookie.php文件,去掉註釋符號,a_setcookie.php即爲:
<?php
header ( 'P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"' );
setcookie ( "test" , $_GET [ 'id' ], time ()+ 3600 , "/" , ".a.com" );
?>
再次通過瀏覽器依次訪問:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
這次,你會發現在訪問b.com域的時候,我們設置了a.com域的cookie值。
末了補充一句,似乎只有IE對跨域訪問COOKIE限制比較嚴格,上述代碼在FIREFOX下測試,即使不發送P3P頭信息,也能成功。
=========================================
通過Fiddler可以方便的知道上面P3P代碼的含義
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used
to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used
to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
Validate at: http://www.w3.org/P3P/validator.html
Learn more at: http://www.fiddlertool.com/redir/?id=p3pinfo
作者是老王 http://hi.baidu.com/thinkinginlamp/blog/item/5e2a02084f1dafd163d9865f.html
另外,他參考的文章是:http://www.dup2.org/node/384
以下是內容:
Passport 一方面意味着用一個帳號可以在不同服務裏登錄,另一方面就是在一個服務裏面登錄後可以無障礙的漫遊到其他服務裏面去。坦白說,目前 sohu passport 在這一點實現的很爛(不過俺的工作就是要把它做好啦,hehe)
搜狐的 SSO 需求比較麻煩,因爲它旗下有好多域名:sohu.com、chinaren.com、sogou.com、focus.cn、17173.com、go2map.com,登錄用戶漫遊的主要障礙也來自於此。
以前億郵的郵件系統在和別的系統整合的時候是提供一個 URL,用戶從第三方系統裏面點擊這個鏈接就可以生成訪問郵件界面所需的 cookie,然後進入郵件。這個方式的確很有效,但問題是:
1. 每個外部鏈接都必須用特殊的 URL 跳轉,維護很麻煩
2. 兩個系統集成已經很麻煩了,若是集成的系統有好幾個,彼此都需要跳轉而缺乏一箇中心機制就成了噩夢
3. 根本無法處理用戶直接在地址欄輸入地址進行訪問的情況
即使是跨域,上述的解決方法相對來說還是容易的。
A. 首先是所有登錄必須首先通過一箇中央服務器進行認證,然後在它那裏給瀏覽器種下 cookie(下面稱之爲 sso cookie)
B. 當用戶訪問另外的域名 app 的時候,瀏覽器是無法直接發送 sso cookie 給服務器認證的。此時應該利用 javascript,動態創建一個隱藏的 iframe,讓其訪問 sso
C. 這個 iframe 的請求是可以把 sso cookie 送給 sso server 的。sso server 驗證 cookie 後,返回一個重定向頁面到 app 的某個 URL,由該 URL 設置 app cookie
D. 此時瀏覽器上可看見的頁面容器實際上也是可以和重定向回來的內容交互的。比如可以用 js 控制發現重定向頁面成功返回後,就刷新整個頁面,讓它看起來和用戶登錄後訪問沒有什麼區別。
下面是真正的技巧:怎樣才能在 IE 裏面跨域去設置 cookie
上述技術看起來是不是很好?但它的前提是所有的登錄都 post 到 sso server 上,認證成功後再返回 app 頁面。可我接受到的需求之一就是要支持頁面無刷新登錄。
哈!就是說本來在 chinaren.com 上提交登錄表單的 action 應該是 passport.sohu.com 這個 sso server。可是在 AJAX 大潮下,chinaren 計劃採用 XMLHTTPRequest 提交,這個就麻煩了,因爲是不能跨域來提交的。
那麼解決方法就是跨域產生 cookie,即 js 發現口令校驗成功後,再在 passport.sohu.com 上種上合法的 cookie.
套用上面的跨域讀 cookie 的方案似乎很簡單去推論:就是創建一個隱含的 iframe,讓那個 iframe 去調用 passport.sohu.com 的 URL 來產生 cookie。很遺憾,此方法在 Fx 下工作的很好,但是不能在 IE 上應用。(在 IE 狀態欄上顯示 cookie 隱私警告,紅色圓底白橫槓)
我試了很多很多方法,包括創建 、 node,包括用 js 設置,但都一次次被 IE 無情的擋在了瀏覽器外。google 之,也沒有任何真正可用的答案,中文網頁要麼介紹的方法是錯的,要麼說無解。
最後還是在 chinaren 一哥們的幫助下,翻出了他們所使用的,以和 alumni.sohu.com 交互的方法(不知道是哪位牛人發現的),只需要設置 P3P HTTP Header ,在隱含 iframe 裏面跨域設置 cookie 就可以成功。他們所用的內容是:
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
最後是我做的一個小小的演示:cookie 怎麼在 vmx.cn 和 dup2.net 之間交互
1. http://qiuyingbo.test.vmx.cn/cookie.php
2. 隨便輸入什麼,點 reset cookie,就可以看到 vmx.cn 的 cookie 已經被設上了
3. 在該頁面點連接到 http://www.dup2.net/vmx/cookie.html
4. 點"get corss-domain cookie" .. (此時 js 會去創建一個iframe,請求 qiuyingbo.test.vmx.cn ,返回頁面把 cookie 值作爲 GET 參數重定向回 dup2.net 的另外一個URL。)
5. 點 "display corss-domain cookie" .. 就可以看到 vmx.cn 的 cookie 了
6. 在該頁面的輸入框中輸入其它的值,然後點 "set cross-domain cookie",該行爲將主動設置 vmx.cn 的 cookie
7. 點鏈接回到 http://qiuyingbo.test.vmx.cn/cookie.php ,就可以看到新的值了