問題描述

IE10 處理 cookie 和子域的方式似乎與其他主要瀏覽器(IE8、IE9、Firefox、Chrome、Safari)不同.

我們在測試環(huán)境中廣泛使用子域，例如:

• user1.devel.example.com
• user2.devel.example.com
• qa.example.com

我們的生產(chǎn)環(huán)境位于頂部，例如example.com(技術上也是 www.example.com).

我們天真地使用php setcookie($name, $value, $expires) 函數(shù)(沒有指定明確的路徑或域)來設置cookie，然后清除cookie(當用戶注銷時) 通過為該值分配一個空字符串.這一直很有效，每個唯一的子域都使用自己的 cookie.

IE10 現(xiàn)在與所有子域共享"在 TLD 中設置的 cookie.我們觀察到的最初癥狀是沒有人可以退出子域.我們觀察到了一些事情:

• 即使它共享該值，也沒有子域能夠清除 cookie.
• 當 TLD 清除 cookie 時，它??也會立即從所有子域中刪除.

是否有其他人觀察到與 IE10 相對于子域存儲/應用 cookie 的方式類似的行為?除了在發(fā)送初始 Set-Cookie 標頭時明確說明 cookie 適用于哪個域之外，還有其他解決方法嗎?

我剛遇到這個問題.

這是一個指向探索此錯誤/問題的人的鏈接:指定域和不指定域的 Cookie(瀏覽器不一致)

這也可能是相關的:子域的 Cookie 集, 但 IE Developer Tools 在根域顯示 cookie.我錯過了什么?

我的結(jié)論是，當從非 www 根域 ( http://sites.com)，在 IE 中，這被視為所有子域的通配符 cookie.Chrome 和 Firefox 不會顯示此行為 - 它們將來自非 www 根域的 cookie 集關聯(lián)為僅與該根相關聯(lián).

我使用 .net webforms、IIS 和我的主機文件編寫了示例站點.我有 3 個站點:a.site.com、b.site.com 和 site.com.他們都提供同名的餅干.我們稱之為購物車".

您可以為 cookie 設置多個屬性，包括 cookie 應關聯(lián)的域.我將此屬性留給 .net 定義/未定義.當 Chrome 從每個站點收到 cookie 時，它??會顯示 cookie 的域明確來自瀏覽器地址欄中列出的域.在 IE 中，情況并非如此.IE 將來自 http://sites.com 的 cookie 視為被定義為.sites.com"，并且根據(jù)cookie 的 RFC 這意味著它可以從所有子域訪問.

同樣在 IE 中，如果多個 cookie 設置為相同的名稱，IE 會按照設置的順序?qū)⑺鼈兎祷亟o服務器.因此，如果我先訪問 http://sites.com 然后訪問 http://a.sites.com 然后刷新，IE查看來自http://sites.com 作為有效的 cookie 發(fā)送到服務器請求 http://a.sites.com 與 http://a.sites 的 cookie 一起發(fā)送.com，除了 http://sites.com 的 cookie 是列表中的第一個.>

在 .net 中，據(jù)我所知，cookie 通常是通過鍵名而不是索引來訪問的.因此，當服務器端代碼嘗試訪問名為ShoppingCart"的鍵的值時，它將獲取設置 cookie 值的第一個站點的值 - 這里是 http://sites.com.

總而言之 - 當您擁有共享相同 cookie 鍵名的子域時，請勿使用非 www 域，因為雖然 Chrome/Firefox 會按照您的預期處理域關聯(lián)，但 IE 會導致錯誤行為.

編輯--

為了向閱讀本文的任何人澄清，我使用 IE10 來探索這個問題.

IE10 appears to handle cookies and subdomains differently than other major browsers (IE8, IE9, Firefox, Chrome, Safari).

We use subdomains extensively for test environments, e.g.:

• user1.devel.example.com
• user2.devel.example.com
• qa.example.com

And our production environment lives at the top, e.g. example.com (and technically at www.example.com as well).

We use the php setcookie($name, $value, $expires) function naively (no explicit path or domain is specified) to set a cookie, and then clear cookies (when user logs out) by assigning an empty string to the value. This has always worked fine, and each unique subdomain used their own cookies.

IE10 now "shares" the cookie that was set in the TLD with all subdomains. The initial symptom we observed was that no one could log out of the subdomain. We've observed a few things:

• Even though it shares the value, no subdomain is able to clear the cookie.
• When the TLD clears the cookie, it is immediately removed from all subdomains as well.

Has anyone else observed similar behavior to how IE10 stores/applies cookies relative to subdomains? Is there any workaround, other than being explicit about which domain the cookie applies to when sending the initial Set-Cookie header?

I have just run into this issue.

Here is a link to someone exploring this bug/issue: Cookies with and without the Domain Specified (browser inconsistency)

This also might be related: Cookie set for subdomain, but IE Developer Tools show cookie at root domain. What am I missing?

My conclusion is that when setting a cookie from a non-www root domain ( http://sites.com ), in IE this is seen as a wildcard cookie for all subdomains. Chrome and Firefox do not show this behavior - they associate a cookie set from a non-www root domain as being associated only with that root.

I coded up example sites using .net webforms, IIS and my hosts file. I had 3 sites: a.site.com, b.site.com and site.com. They all served cookies with the exact same name. Let's call it "ShoppingCart".

You can set multiple properties on cookies, including the domain the cookie should be associated with. I left this property to be defined/left undefined by .net. When Chrome received the cookie from each site, it displayed the domain of the cookie as being explicitly from the domain listed in the browser address bar. In IE this was not the case. IE treats the cookie from http://sites.com as being defined as ".sites.com" and according to the RFC for cookies this means it is accessible from all subdomains.

Also in IE, if multiple cookies are set with the same name, IE returns them to the server in the order they were set. So if I visit http://sites.com first and then visit http://a.sites.com and then refresh, IE views the cookie from http://sites.com as a valid cookie to send to the server in it's request for http://a.sites.com which is sent along with the cookie for http://a.sites.com, except the cookie for http://sites.com is the first in the list.

In .net, from what I've seen, cookies are generally accessed by keyname and not by index. So when the server side code attempts to access the value for the key named "ShoppingCart", it will grab the value for the first site that set the cookie value - here that would be http://sites.com.

In summary - don't use non-www domains when you have subdomains that all share the same cookie key names because, while Chrome/Firefox handle the domain association as you would expect, IE causes buggy behavior.

Edit--

Just to clarify for anyone reading this, I was using IE10 to explore this issue.

這篇關于IE10 默認跨子域共享 cookie的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！