Understanding cookie domain relationship with top level domain and its subdomains

怎甘沉沦 提交于 2019-12-13 19:35:15

问题


I have a domain with 2 subdomains like this: www.domain.com and secure.domain.com (with ssl). www subdomain will be running vbulletin (prone to xss attacks) and the webservice behind secure subdomain is well, more secure as well as more sensitive to attacks since real money is involved there. domain.com is 301 redirecting to www.domain.com. Now I'd like to have a single sign-on to both of the services without compromising the security of the secure subdomain. It seems to me there are 2 ways of doing this:

  1. Using OpenID and after successful authentication, set cookie domain only to subdomains respectively, example .www.domain.com and .secure.domain.com so that secure.domain.com cookies will not be sent to the attacker in case of an intrusion in www.domain.com

  2. Only enable users to log on from secure.domain.com and set 2 cookies, 1 with .domain.com for seamless authentication to www.domain.com and another cookie to .secure.domain.com to verify that the user has authenticated through secure subdomain.

My understanding is that when it comes to sso across several webapps on a single domain and its subdomains, then running any app on top level domain such as domain.com would be a potential security risk because the app on top level will always be sent all the cookies set by subdomains as well as subdomains will be able to set and receive cookies of the top level domain.

The question is this: Are my assumptions correct or did I miss something?


回答1:


You can set the cookie as secure and it will be sent only over SSL connections (no matter what domain the client connects to). Of course, more complicated scenarios are possible as well.



来源:https://stackoverflow.com/questions/7065978/understanding-cookie-domain-relationship-with-top-level-domain-and-its-subdomain

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!