preface

At present, the company has two platforms, one is for ordinary users to use the h5 client and provide enterprises with services of PCWeb side, the two platforms are sharing a set of login system and user system, over time, in order to distinguish between different business scenarios result in the field of the user system there is a large amount of redundancy, this time is about to start refactoring, the original user separation, But they still use the same login system. During the refactoring process, I took a lot of detour due to some problems caused by misjudgment of cookies, so I decided to document these problems as a warning.

Cookie is a string of strings written by the server to the client browser, mainly including keys, values, expiration time, path and domain. Here, it mainly refers to the use of domain.

1. Domain domain don’t fill in

The default is only valid under the current domain

2. The domain specified domain

The cookie is valid in the specified domain and all subdomains under the domain. Valid means that the browser automatically places the cookie in the request header when accessing resources under a valid domain name

3.SSO SSO implementation

Assume that the login domain name is login.olange.cn, and the login sites to be verified are A.olange.cn and b.olange.cn. When I access a.olange.cn, I will jump to the login page of login.olange.cn because I have not logged in yet. After the login name and password are submitted and verified successfully, the token must be written into the Cookie. Set the domain of the Cookie to their parent domain name olange.cn, so that the browser will carry the token when accessing A.olange.cn and b.olange.cn

4. Can domain be set freely

Yes, but the browser won’t accept it. For security reasons, the browser saves only cookies from the current domain and its parent domain, others are discarded.