用P3P header解决iframe跨域访问cookie(转) Iframe session失效
Asp.net cookie跨域解决方法,一下午烦死了,终于找到解决方法了
地址:http://blog.csdn.net/wonder4/archive/2008/02/27/2125804.aspx
谢谢这位大牛,收下了
?
?目前在整合几个应用时,遇到了iframe无法获取cookie(session)的问题,经过google,终于把这个问题解决了,现在记录一下。
??
compact-token = compact-access |
compact-disputes |
compact-remedies |
compact-non-identifiable |
compact-purpose |
compact-recipient |
compact-retention |
compact-categories |
compact-test
compact-access = "NOI" | "ALL" | "CAO" | "IDC" | "OTI" | "NON"
compact-disputes = "DSP"
compact-remedies = "COR" | "MON" | "LAW"
compact-non-identifiable = "NID"
compact-purpose = "CUR" | "ADM" [creq] | "DEV" [creq] | "TAI" [creq] |
"PSA" [creq] | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] |
"CON" [creq] | "HIS" [creq] | "TEL" [creq] | "OTP" [creq]
creq = "a" | "i" | "o"
compact-recipient = "OUR" | "DEL" [creq] | "SAM" [creq] | "UNR" [creq] |
"PUB" [creq] | "OTR" [creq]
compact-retention = "NOR" | "STP" | "LEG" | "BUS" | "IND"
compact-category = "PHY" | "ONL" | "UNI" | "PUR" | "FIN" | "COM" |
"NAV" | "INT" | "DEM" | "CNT" | "STA" | "POL" |
"HEA" | "PRE" | "LOC" | "GOV" | "OTC"
compact-test = "TST"
另外这里还有一个P3P的验证工具:http://www.w3.org/P3P/validator.html,可以验证一下自己设置的P3P是否正确。
这里还有一个老外写的不错的blog,也可以参考一下。http://www.sitepoint.com/article/p3p-cookies-ie6/2
----其他--------------------------------------------------------------
IE6/IE7支持的P3P(Platform for Privacy Preferences Project (P3P) specification)协议默认阻止第三方无隐私安全声明的cookie,Firefox目前还不支持P3P安全特性,firefox中自然也不存 在此问题了。
在frameset里面,也就是里面的frame是来自第三方站点(不同IP或不同域名),那么默认情况下IE会自动禁用这些站点的cookie, 也就是在请求某url时在HTTP header里不发送它们的cookie,包括session的cookie。注意,这些站点在response里面设置的cookie还是会被发送到浏 览器的。
在用户浏览a.php时 A.com写入的为第一方Cookie,其嵌入的iframe指向 b.php.这时B.com写入的就为第三方Cookie了,所以它是被IE当在了大门外。 所以,每次当用户提交的cookie提交时,就挂掉了.因为传不到真实的服务器.
解决方案.
PHP的程序,可以直接在B网站中写入
PHP代码这样就能接受第三方的Cookie啦。
- <?php??
- header('P3P:?CP="CURa?ADMa?DEVa?PSAo?PSDo?OUR?BUS?UNI?PUR?INT?DEM?STA?PRE?COM?NAV?OTC?NOI?DSP?COR"');??
- ?>??
?
lighttpd的服务器
XML/HTML代码
apache的服务器
- server.modules????=?("mod_setenv")??
- setenv.add-response-header?=?(?"P3P"?=>?"CP='CURa?ADMa?DEVa?PSAo?PSDo?OUR?BUS?UNI?PUR?INT?DEM?STA?PRE?COM?NAV?OTC?NOI?DSP?COR'")??
?
XML/HTML代码IIS的服务器
- <VirtualHost>??
- Header?set?P3P?'CP="CURa?ADMa?DEVa?PSAo?PSDo?OUR?BUS?UNI?PUR?INT?DEM?STA?PRE?COM?NAV?OTC?NOI?DSP?COR"'??
- </VirtualHost>??
增加一个网站http头来解决问题;
管理工具——〉选择一个网站——〉属性——〉 http头,增加一个http头
然后输入头名:P3P
输入头内容:CP=CAO PSA OURjsp页面:
XML/HTML代码java代码最简单的办法,增加一个filte: Java代码
- <%??
- response.setHeader("P3P","CP=CAO?PSA?OUR");??
- %>??
- public?class?TransNameFilter?extends?HttpServlet?implements?Filter?{??
- private?static?org.apache.commons.logging.Log?logWriter?=??
- ???LogFactory.getLog(TransNameFilter.class.getName());??
- ??
- /**?
- *?
- */??
- public?TransNameFilter()?{??
- ???super();??
- ??
- }??
- /*?(非?Javadoc)?
- ???*?@see?javax.servlet.Filter#init(javax.servlet.FilterConfig)?
- ???*/??
- public?void?init(FilterConfig?arg0)?throws?ServletException?{??
- ??
- }??
- ??
- /*?(非?Javadoc)?
- *?@see?javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,?javax.servlet.ServletResponse,?javax.servlet.FilterChain)?
- */??
- public?void?doFilter(ServletRequest?request,?ServletResponse?response,?FilterChain?chain)??
- ???throws?IOException,?ServletException?{??
- ??
- ???HttpServletRequest?hreq?=?(HttpServletRequest)?request;??
- ???String?transName?=?hreq.getParameter("transName");??
- ???if?(Util.isNullOrEmpty(transName))?{??
- ????logWriter.fatal("?there?is?no?transName?for?this?request");??
- ???}?else?{??
- ??
- ????logWriter.info("?transName?is?"?+?transName);??
- ???}??
- ????
- ???HttpServletResponse?res?=?(HttpServletResponse)?response;??
- ????????//iframe引起的内部cookie丢失??
- ???res.setHeader("P3P","CP=CAO?PSA?OUR");??
- ???if?(chain?!=?null)??
- ????chain.doFilter(request,?response);??
- ??
- }??
- ??
- /*?(非?Javadoc)?
- ???*?@see?javax.servlet.Filter#destroy()?
- ???*/??
- public?void?destroy()?{??
- ??
- }??
- ??
- }??