preface
At present, the company has two platforms, one is for ordinary users to use the h5 client and provide enterprises with services of PCWeb side, the two platforms are sharing a set of login system and user system, over time, in order to distinguish between different business scenarios result in the field of the user system there is a large amount of redundancy, this time is about to start refactoring, the original user separation, but still use the same set of login system. In the process of reconstruction, because of the wrong judgment of the Cookie caused some problems, went a lot of detours, so I decided to record these problems, as a warning.
Cookie is a string of strings written by the server to the client browser, mainly including keys, values, expiration time, path and domain, here mainly says the use of domain.
1. Domain domain don’t fill in
The default is only valid under the current domain
2. The domain specified domain
The cookie is valid for the specified domain and for all subdomains under the domain. This means that the browser automatically puts the cookie in the request header when accessing a resource under a valid domain name
3. Implementation of SSO Single Sign-On
Suppose the login domain name is login.olang.cn, and the login sites need to be verified are a.olange.cn and b.olange.cn. When I access a.olange.cn, because I have not logged in at this time, I will jump to the login page on login.olange.cn. After submitting the login name and password, the verification is successful, and then I will start writing the token into the Cookie. Set the cookies’ domain to their parent domain olange. CN, so that browsers will carry the token when accessing a.olange. CN and b.olange. CN
4. Can the domain be set freely
Yes, but the browser won’t accept it. For security reasons, the browser will only store cookies from the current domain and its parent domain; the rest will be discarded.