IE10 默认跨子域共享 cookie

IE10 处理 cookie 和子域的方式似乎与其他主要浏览器(IE8、IE9、Firefox、Chrome、Safari)不同.

我们在测试环境中广泛使用子域,例如:

  • user1.devel.example.com
  • user2.devel.example.com
  • qa.example.com

我们的生产环境位于顶部,例如example.com(技术上也是 www.example.com).

我们天真地使用php setcookie($name, $value, $expires) 函数(没有指定明确的路径或域)来设置cookie,然后清除cookie(当用户注销时) 通过为该值分配一个空字符串.这一直很有效,每个唯一的子域都使用自己的 cookie.

IE10 现在与所有子域共享"在 TLD 中设置的 cookie.我们观察到的最初症状是没有人可以退出子域.我们观察到了一些事情:

  • 即使它共享该值,也没有子域能够清除 cookie.
  • 当 TLD 清除 cookie 时,它​​也会立即从所有子域中删除.

是否有其他人观察到与 IE10 相对于子域存储/应用 cookie 的方式类似的行为?除了在发送初始 Set-Cookie 标头时明确说明 cookie 适用于哪个域之外,还有其他解决方法吗?

解决方案

我刚遇到这个问题.

这是一个指向探索此错误/问题的人的链接:指定域和不指定域的 Cookie(浏览器不一致)

这也可能是相关的:子域的 Cookie 集, 但 IE Developer Tools 在根域显示 cookie.我错过了什么?

我的结论是,当从非 www 根域 ( http://sites.com),在 IE 中,这被视为所有子域的通配符 cookie.Chrome 和 Firefox 不会显示此行为 - 它们将来自非 www 根域的 cookie 集关联为仅与该根相关联.

我使用 .net webforms、IIS 和我的主机文件编写了示例站点.我有 3 个站点:a.site.com、b.site.com 和 site.com.他们都提供同名的饼干.我们称之为购物车".

您可以为 cookie 设置多个属性,包括 cookie 应关联的域.我将此属性留给 .net 定义/未定义.当 Chrome 从每个站点收到 cookie 时,它​​会显示 cookie 的域明确来自浏览器地址栏中列出的域.在 IE 中,情况并非如此.IE 将来自 http://sites.com 的 cookie 视为被定义为.sites.com",并且根据cookie 的 RFC 这意味着它可以从所有子域访问.

同样在 IE 中,如果多个 cookie 设置为相同的名称,IE 会按照设置的顺序将它们返回给服务器.因此,如果我先访问 http://sites.com 然后访问 http://a.sites.com 然后刷新,IE查看来自http://sites.com 作为有效的 cookie 发送到服务器请求 http://a.sites.com 与 http://a.sites 的 cookie 一起发送.com,除了 http://sites.com 的 cookie 是列表中的第一个.>

在 .net 中,据我所知,cookie 通常是通过键名而不是索引来访问的.因此,当服务器端代码尝试访问名为ShoppingCart"的键的值时,它将获取设置 cookie 值的第一个站点的值 - 这里是 http://sites.com.

总而言之 - 当您拥有共享相同 cookie 键名的子域时,请勿使用非 www 域,因为虽然 Chrome/Firefox 会按照您的预期处理域关联,但 IE 会导致错误行为.

编辑--

为了向阅读本文的任何人澄清,我使用 IE10 来探索这个问题.

IE10 appears to handle cookies and subdomains differently than other major browsers (IE8, IE9, Firefox, Chrome, Safari).

We use subdomains extensively for test environments, e.g.:

  • user1.devel.example.com
  • user2.devel.example.com
  • qa.example.com

And our production environment lives at the top, e.g. example.com (and technically at www.example.com as well).

We use the php setcookie($name, $value, $expires) function naively (no explicit path or domain is specified) to set a cookie, and then clear cookies (when user logs out) by assigning an empty string to the value. This has always worked fine, and each unique subdomain used their own cookies.

IE10 now "shares" the cookie that was set in the TLD with all subdomains. The initial symptom we observed was that no one could log out of the subdomain. We've observed a few things:

  • Even though it shares the value, no subdomain is able to clear the cookie.
  • When the TLD clears the cookie, it is immediately removed from all subdomains as well.

Has anyone else observed similar behavior to how IE10 stores/applies cookies relative to subdomains? Is there any workaround, other than being explicit about which domain the cookie applies to when sending the initial Set-Cookie header?

解决方案

I have just run into this issue.

Here is a link to someone exploring this bug/issue: Cookies with and without the Domain Specified (browser inconsistency)

This also might be related: Cookie set for subdomain, but IE Developer Tools show cookie at root domain. What am I missing?

My conclusion is that when setting a cookie from a non-www root domain ( http://sites.com ), in IE this is seen as a wildcard cookie for all subdomains. Chrome and Firefox do not show this behavior - they associate a cookie set from a non-www root domain as being associated only with that root.

I coded up example sites using .net webforms, IIS and my hosts file. I had 3 sites: a.site.com, b.site.com and site.com. They all served cookies with the exact same name. Let's call it "ShoppingCart".

You can set multiple properties on cookies, including the domain the cookie should be associated with. I left this property to be defined/left undefined by .net. When Chrome received the cookie from each site, it displayed the domain of the cookie as being explicitly from the domain listed in the browser address bar. In IE this was not the case. IE treats the cookie from http://sites.com as being defined as ".sites.com" and according to the RFC for cookies this means it is accessible from all subdomains.

Also in IE, if multiple cookies are set with the same name, IE returns them to the server in the order they were set. So if I visit http://sites.com first and then visit http://a.sites.com and then refresh, IE views the cookie from http://sites.com as a valid cookie to send to the server in it's request for http://a.sites.com which is sent along with the cookie for http://a.sites.com, except the cookie for http://sites.com is the first in the list.

In .net, from what I've seen, cookies are generally accessed by keyname and not by index. So when the server side code attempts to access the value for the key named "ShoppingCart", it will grab the value for the first site that set the cookie value - here that would be http://sites.com.

In summary - don't use non-www domains when you have subdomains that all share the same cookie key names because, while Chrome/Firefox handle the domain association as you would expect, IE causes buggy behavior.

Edit--

Just to clarify for anyone reading this, I was using IE10 to explore this issue.

相关文章