如何在子域名之间进行身份验证

huangapple go评论91阅读模式
英文:

How To Authenticate Across Subdomains

问题

我正在开发一个网络应用程序,实际上它由两个应用程序组成。一个应用程序称为“account”,处理与用户账户相关的所有事务,如身份验证、注册和账户管理。我还有一个应用程序,我们称之为“web”。

问题是,“account”在https://account.domain.com上进行监听,使用SSL/TLS,而“web”在http://www.domain.com上进行监听。

我有哪些选项可以让用户在“account.domain.com”上登录和进行身份验证,然后将他们重定向到实际上已登录的“www.domain.com”?据我所知,你不能在“account.domain.com”上设置一个cookie,然后让它在“domain.com”上工作,因为那样会存在安全风险。

关于我的应用程序的一些背景细节:

  1. 使用Go编程语言编写。

  2. 大部分的HTTP/HTTPS接口、URL路由和处理POST/GET参数都使用Gorilla Toolkit。

  3. 两个应用程序都在同一台虚拟服务器上运行。

我正在寻找一种安全的方式来在“domain.com”的所有子域和实际域中进行身份验证和会话管理。除了设置cookie之外,我对这个主题并不是特别了解。

英文:

I'm working on a web application which actually consists of two applications under the hood. One application is called account and handles all things related to user accounts such authentication, registration and management of the account. I also have an application we'll just call web.

The thing is that account listens on https://account.domain.com using SSL/TLS, and web listens on http://www.domain.com.

What options do I have for having people log in and authenticate account.domain.com and then redirecting them to www.domain.com where they're actually then logged in. As far as I know, you can't set up a cookie on account.domain.com and then have it work on domain.com as that would be a security risk.

Some background details about my applications:

  1. Written in the Go programming language.

  2. Makes use of the Gorilla Toolkit for most of the HTTP/HTTPS interfacing, URL routing and handling POST/GET parameters.

  3. Both applications live on the same virtual server.

What I'm looking for is a secure way to authenticate and manage a session across all subdomains of and the actual domain domain.com. I'm not particularly well versed in this subject, so aside from setting cookies, I don't know much.

答案1

得分: 6

我对大猩猩不够熟悉,但是类似这样的代码应该可以工作:

var store = sessions.NewCookieStore([]byte("something-very-secret"))

func init() {
    store.Options = &sessions.Options{
        Domain:   "domain.com", //this
        HttpOnly: true,
    }
}

基本上,你只需要将cookie的域名设置为.domain.com(前缀为.),在https://stackoverflow.com/a/1063760/145587中有更详细的解释。

//编辑

根据@Volker的说法,不需要使用点号(请参阅评论)。

英文:

I'm not familiar enough with gorilla but something like should work:

var store = sessions.NewCookieStore([]byte("something-very-secret"))

func init() {
	store.Options = &sessions.Options{
		Domain:   "domain.com", //this
		HttpOnly: true,
	}
}

Basically you just have to set the cookie's domain to .domain.com (with the prefix .), there's a more detailed explanation in https://stackoverflow.com/a/1063760/145587

//edit

According to @Volker, the dot isn't needed (see comments).

huangapple
  • 本文由 发表于 2014年9月1日 23:46:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/25609270.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定