IE里Cookie跨域不能读取

  最近在做一个流量统计的东西的时候,偶然发现IE在对iframe里面的页面写Cookie的时候有一些安全限制,导致读取Cookie不成功,找了好长时间的解决办法,重要找到如下的办法:


  1.页面里的COOKIE不能是浏览器进程的COOKIE(包括验证票和不设置超时时间的COOKIE),否则跨域会取不到.这点做跨域COOKIE的人比较少提到.不过实际上留意下几家大学做的方案,有细微的提到他们的验证模块里的COOKIE是有设置超时时间的.

  2.当利用IFRAME时,记得要在相应的动态页的页头添加一下P3P的信息,否则IE会自觉的把IFRAME框里的COOKIE给阻止掉,产生问题.本身不保存自然就取不到了.这个其实是FRAMESET和COOKIE的问题,用FRAME或者IFRAME都会遇到.

  3.测试时输出TRACE,会减少很多测试的工作量.

  只需要设置 P3P HTTP Header,在隐含 iframe 里面跨域设置 cookie 就可以成功。他们所用的内容是:


P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
IE11+需要设置为上面完整内容,要不cookie可能无法生成被拦截。因为IE11 Internet选项-安全-默认勾选了启用保护模式的情况下,跨域写cookie失败。其他浏览器都可以成功写入。




ASP直接在头部加了头部申明,测试有效。

-HTML
<%Response.AddHeader "P3P""CP=CAO PSA OUR"%>


php的话,应该是如下写法:

-PHP
header('P3P: CP=CAO PSA OUR');


ASP.NET的话
通过在代码上加

-C#
Response.AddHeader("P3P""CP=CAO PSA OUR");

或者在Window服务中将ASP.NET State Service 启动。

JSP:
response.setHeader("P3P","CP=CAO PSA OUR")

英语原文解析
You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.

Visit the following MSDN Web site for a complete list of satisfactory and unsatisfactory policy codes:

Privacy in Internet Explorer 6
http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp
A simple compact policy that fulfills this criteria follows:

P3P: CP="CAO PSA OUR"

This code sample shows that your site provides you access to your own contact information (CAO), that any analyzed data is only "pseudo-analyzed", which means that the data is connected to your online persona and not to your physical identity (PSA), and that your data is not supplied to any outside agencies for those agencies to use (OUR).

You can set this header if you use the Response.AddHeader method in an ASP page. In ASP.NET, you can use the Response.AppendHeader method. You can use the IIS Management Snap-In (inetmgr) to add to a static file.

Follow these steps to add this header to a static file:

1. Click Start, click Run, and then type inetmgr.
2. In the left navigation page, click the appropriate file or directory in your Web site to which you want to add the header, right-click the file, and then click Properties.
3. Click the HTTP Headers tab.
4. In the Custom HTTP Headers group box, click Add.
5. Type P3P for the header name, and then for the compact policy string, type CP=..., where "..." is the appropriate code for your compact policy.

Alternatively, Internet Explorer users can modify their privacy settings so that they are prompted to accept third party content. The following steps show how to modify the privacy settings:

1. Run Internet Explorer.
2. Click Tools, and then click Internet Options.
3. Click the Privacy tab, and then click Advanced.
4. Click to select the Override automatic cookie handling check box.
5. To allow ASP and ASP.NET session cookies to be set, click to select the Always allow session cookies check box.
6. To receive a prompt for any type of third party cookie, click Prompt in the Third-party Cookies list.

来源:http://hi.baidu.com/duwuzhe722/blog/item/325dd9c6fa04260a9c163dd4.html

评论(2)网络
阅读(544)喜欢(0)不喜欢(0)Asp.Net/C#