問題描述

IE10 處理 cookie 和子域的方式似乎與其他主要瀏覽器(IE8、IE9、Firefox、Chrome、Safari)不同.

我們在測試環(huán)境中廣泛使用子域，例如:

• user1.devel.example.com
• user2.devel.example.com
• qa.example.com

我們的生產(chǎn)環(huán)境位于頂部，例如example.com(技術(shù)上也是 www.example.com).

我們天真地使用php setcookie($name, $value, $expires) 函數(shù)(沒有指定明確的路徑或域)來設(shè)置cookie，然后清除cookie(當(dāng)用戶注銷時(shí)) 通過為該值分配一個(gè)空字符串.這一直很有效，每個(gè)唯一的子域都使用自己的 cookie.

IE10 現(xiàn)在與所有子域共享"在 TLD 中設(shè)置的 cookie.我們觀察到的最初癥狀是沒有人可以退出子域.我們觀察到了一些事情:

• 即使它共享該值，也沒有子域能夠清除 cookie.
• 當(dāng) TLD 清除 cookie 時(shí)，它??也會(huì)立即從所有子域中刪除.

是否有其他人觀察到與 IE10 相對于子域存儲(chǔ)/應(yīng)用 cookie 的方式類似的行為?除了在發(fā)送初始 Set-Cookie 標(biāo)頭時(shí)明確說明 cookie 適用于哪個(gè)域之外，還有其他解決方法嗎?

我剛遇到這個(gè)問題.

這是一個(gè)指向探索此錯(cuò)誤/問題的人的鏈接:指定域和不指定域的 Cookie(瀏覽器不一致)

這也可能是相關(guān)的:子域的 Cookie 集, 但 IE Developer Tools 在根域顯示 cookie.我錯(cuò)過了什么?

我的結(jié)論是，當(dāng)從非 www 根域 ( http://sites.com)，在 IE 中，這被視為所有子域的通配符 cookie.Chrome 和 Firefox 不會(huì)顯示此行為 - 它們將來自非 www 根域的 cookie 集關(guān)聯(lián)為僅與該根相關(guān)聯(lián).

我使用 .net webforms、IIS 和我的主機(jī)文件編寫了示例站點(diǎn).我有 3 個(gè)站點(diǎn):a.site.com、b.site.com 和 site.com.他們都提供同名的餅干.我們稱之為購物車".

您可以為 cookie 設(shè)置多個(gè)屬性，包括 cookie 應(yīng)關(guān)聯(lián)的域.我將此屬性留給 .net 定義/未定義.當(dāng) Chrome 從每個(gè)站點(diǎn)收到 cookie 時(shí)，它??會(huì)顯示 cookie 的域明確來自瀏覽器地址欄中列出的域.在 IE 中，情況并非如此.IE 將來自 http://sites.com 的 cookie 視為被定義為.sites.com"，并且根據(jù)cookie 的 RFC 這意味著它可以從所有子域訪問.

同樣在 IE 中，如果多個(gè) cookie 設(shè)置為相同的名稱，IE 會(huì)按照設(shè)置的順序?qū)⑺鼈兎祷亟o服務(wù)器.因此，如果我先訪問 http://sites.com 然后訪問 http://a.sites.com 然后刷新，IE查看來自http://sites.com 作為有效的 cookie 發(fā)送到服務(wù)器請求 http://a.sites.com 與 http://a.sites 的 cookie 一起發(fā)送.com，除了 http://sites.com 的 cookie 是列表中的第一個(gè).>

在 .net 中，據(jù)我所知，cookie 通常是通過鍵名而不是索引來訪問的.因此，當(dāng)服務(wù)器端代碼嘗試訪問名為ShoppingCart"的鍵的值時(shí)，它將獲取設(shè)置 cookie 值的第一個(gè)站點(diǎn)的值 - 這里是 http://sites.com.

總而言之 - 當(dāng)您擁有共享相同 cookie 鍵名的子域時(shí)，請勿使用非 www 域，因?yàn)殡m然 Chrome/Firefox 會(huì)按照您的預(yù)期處理域關(guān)聯(lián)，但 IE 會(huì)導(dǎo)致錯(cuò)誤行為.

編輯--

為了向閱讀本文的任何人澄清，我使用 IE10 來探索這個(gè)問題.

IE10 appears to handle cookies and subdomains differently than other major browsers (IE8, IE9, Firefox, Chrome, Safari).

We use subdomains extensively for test environments, e.g.:

• user1.devel.example.com
• user2.devel.example.com
• qa.example.com

And our production environment lives at the top, e.g. example.com (and technically at www.example.com as well).

We use the php setcookie($name, $value, $expires) function naively (no explicit path or domain is specified) to set a cookie, and then clear cookies (when user logs out) by assigning an empty string to the value. This has always worked fine, and each unique subdomain used their own cookies.

IE10 now "shares" the cookie that was set in the TLD with all subdomains. The initial symptom we observed was that no one could log out of the subdomain. We've observed a few things:

• Even though it shares the value, no subdomain is able to clear the cookie.
• When the TLD clears the cookie, it is immediately removed from all subdomains as well.

Has anyone else observed similar behavior to how IE10 stores/applies cookies relative to subdomains? Is there any workaround, other than being explicit about which domain the cookie applies to when sending the initial Set-Cookie header?

I have just run into this issue.

Here is a link to someone exploring this bug/issue: Cookies with and without the Domain Specified (browser inconsistency)

This also might be related: Cookie set for subdomain, but IE Developer Tools show cookie at root domain. What am I missing?

My conclusion is that when setting a cookie from a non-www root domain ( http://sites.com ), in IE this is seen as a wildcard cookie for all subdomains. Chrome and Firefox do not show this behavior - they associate a cookie set from a non-www root domain as being associated only with that root.

I coded up example sites using .net webforms, IIS and my hosts file. I had 3 sites: a.site.com, b.site.com and site.com. They all served cookies with the exact same name. Let's call it "ShoppingCart".

You can set multiple properties on cookies, including the domain the cookie should be associated with. I left this property to be defined/left undefined by .net. When Chrome received the cookie from each site, it displayed the domain of the cookie as being explicitly from the domain listed in the browser address bar. In IE this was not the case. IE treats the cookie from http://sites.com as being defined as ".sites.com" and according to the RFC for cookies this means it is accessible from all subdomains.

Also in IE, if multiple cookies are set with the same name, IE returns them to the server in the order they were set. So if I visit http://sites.com first and then visit http://a.sites.com and then refresh, IE views the cookie from http://sites.com as a valid cookie to send to the server in it's request for http://a.sites.com which is sent along with the cookie for http://a.sites.com, except the cookie for http://sites.com is the first in the list.

In .net, from what I've seen, cookies are generally accessed by keyname and not by index. So when the server side code attempts to access the value for the key named "ShoppingCart", it will grab the value for the first site that set the cookie value - here that would be http://sites.com.

In summary - don't use non-www domains when you have subdomains that all share the same cookie key names because, while Chrome/Firefox handle the domain association as you would expect, IE causes buggy behavior.

Edit--

Just to clarify for anyone reading this, I was using IE10 to explore this issue.

這篇關(guān)于IE10 默認(rèn)跨子域共享 cookie的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！