preface

I haven’t updated my blog for a long time, and I’m still too lazy to update it today!

Today record a solution to a small problem encountered some time ago, cross domain!!

I believe that cross-domain is a problem that developers have more or less encountered, and there have been many bloggers who have shared relevant content, this time I did not use their way to solve, so record.

The problem

The domain name of one system in our company is inconsistent with the domain name of the main system, but we need to integrate all the systems under one framework and use IFrame technology to achieve this. Use single sign-on to log in to all systems. This design leads to cross-domain problems when accessing systems with different domain names. The usual solution is to set up a cross-domain interceptor in SpringBoot to achieve cross-domain access.

However, after using this configuration, we still could not log in. The most obvious problem is that the sessionID is different for each request, even for multiple requests on the same page. So we can’t use the session to preserve the session.

The solution

After persistent Google efforts, the problem was initially identified as being caused by the Google Browser’s SameSite property. Starting with Chrome 51, a SameSite property will be added to the browser’s cookies to protect against CSRF attacks and user tracking. This attribute has three values, which are explained in detail in this article.

We chose to turn this property off and set it to None, like this:

response.setHeader("Set-Cookie", "SameSite=None; Secure; JSESSIONID=xxx");Copy the code

Notice that the code above has a pit

When set up like this, we expect that after a request, the cookie can set the JSESSIONID. However, it did not achieve the desired effect

When the old man’s hair was almost finished, after reading the above article repeatedly, the old man changed the above code with a try mentality, as follows:

response.setHeader("Set-Cookie", "JSESSIONID=xxx; SameSite=None; Secure");Copy the code

If you look closely, only the position of the JSESSIONID has changed. Then success, god ah ~ earth ah ~ just a location ~~~~~~~

Thus, the hydrological end of the ~