JWorld@TW the best professional Java site in Taiwan
      註冊 | 登入 | 全文檢索 | 排行榜  

» JWorld@TW » Servlet/JSP 討論區  

按列印兼容模式列印這個話題 列印話題    把這個話題寄給朋友 寄給朋友   
reply to topicthreaded modego to previous topicgo to next topic
本主題所含的標籤
無標籤
作者 在不同的網站間分享session [精華]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-05 14:29 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
原標題:OpenSource-030317-創刊號-Liberty
browser wrote:
首先先來談 Web redirection
基本上有幾個方法可以做到 redirection
1.使用 HTTP-Redirect-Based Redirection(use status 302 and GET to identity server)
2.使用 Form-POST-Based Redirecton (use POST and javascript)
3.使用 Cookie( 但是 cookie 因為 domain 的限制所以不建議使用, 不過如果是同一 domain 則可以使用 )

sso 的原理就是
1. 當你到達一個 service provider 她會檢查你是否已經 authenticated
2. 如果沒有, service provider 將使用 http-redirect 或 form post 將網頁導到 identity provider
3. 當你到達 indentity server 就會有登入的地方
4. 執行登入
5. identity server 將會把你導回你之前的 service provider 並且加上憑證
6. service provider 將會接收到來自identity server 的 redirect 並且 parse 憑證
7. service provider 將使用該憑證會回到 identity server 得到使用者資料

如果使用 cookie 在同一個 domain 就更簡單了
1. 使用者直接到 identity server 取得認證 她將會將你導到 common domain
2. Common domain Service 將寫 cookie 到你的電腦
3. 當你使用另外的 service provider site
4. service provider 將你導到 common domain
5. common domain service 將從 cookie 中取得你的 IDP list 並且加在 url 導回 service provider
6. 如果你還沒有 login 則會要求你登入

至於 profile 應該如何去傳遞
請參閱 http://www.projectliberty.org/specs/liberty-architecture-bindings-profiles-v1.1.pdf

至於 directory server authentication
Password 是否可以比較 use compare()
因為 directoy server 上面儲存 user password 為純粹的 text file
機會非常的少
所以呢不會使用取得 password property 再去比較



如果是笨問題,也請不要打我。Black Eye

引這一段,是因為今天在jsptw上面待了半天,找single sign in的相關資料,這是最接近我可以開始的一篇。

公司的計劃由於預算有限,為了長遠大事計,應該要有single sign in。但是最近徵詢各家的作法時,出現了許多我不能明瞭的狀況。

大家現在講到single sign in的時候,主要的兩種作法:
1.  有identity server,不管是透過ldap或是M$的AD。
2.  使用上面的sso redirect來,redirect去。
第一點有問題是預算的問題,如果我只是為了一個簡單的會員機制而在每個會員身上花了這些錢,並不是很有效益的事情。第二點則是server的loading。如果我今天跑的是一個消費者的campaign,而campaign和認證的http server都在同一部,但卻跨兩個網站,我會需要同時處理兩個session的相關需求。這樣的東西如果同時有好幾個(同時有兩三個在我們公司的狀況算是正常,也就是可能要有四個網域的session),每個又都有網路媒體的預算(中午的吃飯時間可以在一小時內湧進30萬個click through),我的主機(只有一部,SQL不在其上)可能很快就會掛掉。

這就是我的問題了。不同的網站之間,難道真的不能分享session嗎?我當然知道,這會牽涉到很多問題,包含session id的hash encoding等等。但是總該有人試過吧?

還有,SSO的方法,在cookie沒有enable的時候,真的可行嗎?


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
moszap





發文: 38
積分: 0
於 2003-12-05 14:45 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
之前有做過一種做法是,用db 來存放session 裡的資料,每當跨網域時,就把session給存進db裡去(整個物件,用serializable),過了另一邊後,才把session給serialable 回來,不過,做起來的話,會有很多同步的問題需要解決(包括何時session要 time-out)

reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-05 15:22 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list

還有,SSO的方法,在cookie沒有enable的時候,真的可行嗎?

when cookie is disabled, session is also disabled.


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-05 15:28 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
aladdin wrote:
大家現在講到single sign in的時候,主要的兩種作法:
1.  有identity server,不管是透過ldap或是M$的AD。

ldap server and M$ AD are not "Identity Server"
They are just the "Directory Server"


2.  使用上面的sso redirect來,redirect去。
第一點有問題是預算的問題,如果我只是為了一個簡單的會員機制而在每個會員身上花了這些錢,並不是很有效益的事情。第二點則是server的loading。

Well, i think a solution for managing server session tracking using Listener..
It need to try, I don't confirm that it works !

BTW, if u want to make a simple "Identity Server", i think u should pay more money and time to get the stable solution without commercial "Identity Server" ^^"


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:jini]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-05 15:46 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
jini wrote:
when cookie is disabled, session is also disabled.


Even with URL rewriting?


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:jini]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-05 15:48 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
jini wrote:
ldap server and M$ AD are not "Identity Server"
They are just the "Directory Server"


我剛才把sun identity server的基本資料看完,搞清楚那是什麼東西了。至於價格,那就別提了。

我的問題還是:在不同網站間的session資料分享是可行的嗎?


aladdin edited on 2003-12-05 16:06
reply to postreply to post
作者 Re:在不同的網站間分享session [Re:moszap]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-05 17:10 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
moszap wrote:
之前有做過一種做法是,用db 來存放session 裡的資料,每當跨網域時,就把session給存進db裡去(整個物件,用serializable),過了另一邊後,才把session給serialable 回來,不過,做起來的話,會有很多同步的問題需要解決(包括何時session要 time-out)


以前我們的作法是:把所有要login的需求與critical的transaction全部集中在一個網域。假定有A,B兩個網域,是需要認證的網域,login網域則就叫做login。資料庫中則有兩個table,一個是負責session sync,一個則是負責cookie sync。

1. 當A有需要認證的時候,看看是不是(在cookie中)有會員註記。如果有,就繼續A的下一步,不然,就到login。

2. login認證完畢後,會在session sync與cookie sync同時寫入login的session id ,然後redirect 回到A with a hashed key in the URL。

3. A此時就會把這個hash key還原,變成login中的session id,然後去access上面兩個table,把A的session id寫上去。

4. 當login中的session expired以後,就會把session sync中的資料刪除。保留cookie sync。

5. 此時,A中所有的會員頁面都暢行無阻。

6. 如果使用者需要任何的transaction(比如購物),都到login處理。如果沒有cookie的設定,就需要執行login。如果cookie存在,且session沒有expired,就繼續工作。如果session expired,就把cookie中存的前一個session id拿出來,到cookie sync裡尋找是不是有這個值。如果不存在,就清除cookie,視為沒有login,如果有,就把cookie sync中的session id換成新的session id,並且從cookie sync中把該entry整個拷貝到session sync(考慮如果不只一個網站需要這個服務)。

7. cookie sync中,每個網站(A,B,login)的session expired的時候,就會在上面做記號。一旦所有的session都expired,才把該cookie sync的entry拿掉。

8. 如果要從A到B,必須要先到login過一圈。之後所有在b上面的動作,都是和login做sync

有人跟上了嗎?

所以,你知道我為什麼不要用SSO了吧!


aladdin edited on 2003-12-06 06:57
reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-05 19:20 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
aladdin wrote:
以前我們的作法是:把所有要login的需求與critical的transaction全部集中在一個網域。假定有A,B兩個網域,是需要認證的網域,login網域則就叫做login。資料庫中則有兩個table,一個是負責session sync,一個則是負責cookie sync。

1. 當A有需要認證的時候,看看是不是(在cookie中)有會員註記。如果有,就繼續A的下一步,不然,就到login。

2. login認證完畢後,會在session sync與cookie sync同時寫入login的session id ,然後redirect 回到A with a hashed key in the URL。

3. A此時就會把這個hash key還原,變成login中的session id,然後去access上面兩個table,把A的session id寫上去。

4. 當login中的session expired以後,就會把session sync中的資料刪除。保留cookie sync。

5. 此時,A中所有的會員頁面都暢行無阻。

6. 如果使用者需要任何的transaction(比如購物),都到login處理。如果沒有cookie的設定,就需要執行login。如果cookie存在,且session沒有expired,就繼續工作。如果session expired,就把cookie中存的前一個session id拿出來,到cookie sync裡尋找是不是有這個值。如果不存在,就清除cookie,視為沒有login,如果有,就把cookie sync中的session id換成新的session id,並且從cookie sync中把該entry整個拷貝過來(考慮如果不只一個網站需要這個服務)。

7. cookie sync中,每個網站(A,B,login)的session expired的時候,就會在上面做記號。一旦所有的session都expired,才把該cookie sync的entry拿掉。

8. 如果要從A到B,必須要先到login過一圈。之後所有在b上面的動作,都是和login做sync

有人跟上了嗎?

所以,你知道我為什麼不要用SSO了吧!


這方法不是不行 如果增加了 Domain C / Domain D 你就被迫要修改後端邏輯
而且 Login 的動作將會不斷地重複
但是 cookie 是無法跨越 Domain
因此 我反而建議設計一個 Session Management Server 如同 Identity Server 去維護著 session

您的需求僅僅在於 authetication. 在 authorization 之上非常缺乏
可能是因為大多系統已經存在, 不需要透過新的權限管控機制
所以購買 identity server 可能對你來說沒有太大意義
至於如何善用 session logging 去 tracking session
這裡有一些技巧 ^^"

如果都是 Java Webapps .. 還有一些不錯的解決方案
不知道 aladdin 是否還存在著其他如 asp / cgi / php 等等的系統呢 !


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:jini]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-05 20:20 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
jini wrote:
這方法不是不行 如果增加了 Domain C / Domain D 你就被迫要修改後端邏輯
而且 Login 的動作將會不斷地重複
但是 cookie 是無法跨越 Domain


Login的動作(使用者輸入帳號密碼)是不會重複的,只是會常常回到login這個網站上做些拖累系統速度的動作。

關於domain增加時的問題:這是我最痛恨的一點,即便透過MVC把這個過程侷限在controller上,implementation還是非常的不模組化。


因此 我反而建議設計一個 Session Management Server 如同 Identity Server 去維護著 session


這點,可能要請jini大大說得更清楚了。


您的需求僅僅在於 authetication. 在 authorization 之上非常缺乏
可能是因為大多系統已經存在, 不需要透過新的權限管控機制
所以購買 identity server 可能對你來說沒有太大意義
至於如何善用 session logging 去 tracking session
這裡有一些技巧 ^^"

如果都是 Java Webapps .. 還有一些不錯的解決方案
不知道 aladdin 是否還存在著其他如 asp / cgi / php 等等的系統呢 !


沒有autorization的原因是,這個部分只是一般網路會員的登入,根本不能做什麼事。Big Smile

我們現在有三個網站要整合,但是其實都是重做。平台方面,我自己是投jsp一票(應該用不到EJB),但因為經費,可能會使用.net。但這方面在技術面上的差異(我們要用到的部分),除了single sing in以外,並不太大。


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
ingramchen

Web monkey



發文: 479
積分: 12
於 2003-12-06 03:33 user profilesend a private message to usersend email to ingramchenreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
為什麼不直接用 stateful session bean 來解決 ?
EJB 不就是為了分散式環境而設計的嗎?

不知道是不是我看不懂您的問題.. ? 還是... ?


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:ingramchen]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-06 04:03 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
ingramchen wrote:
為什麼不直接用 stateful session bean 來解決 ?
EJB 不就是為了分散式環境而設計的嗎?

不知道是不是我看不懂您的問題.. ? 還是... ?


stateful session bean ?!

it still works in the same domain by clustering solution , however , aladdins' question is cross domain !

the enterprise problem for Crossing Domain Singal SignOn is "CDSSO", there are two main solutions in the world.

1. Liberty Project , u could read my first Java Opensource Newpaper.
2. MS Passport .

Both the solutions costs lots of money ! Aladdin wanna find a simple solution for solving these authetication.

Why is CDSSO happened ? From the cookie domain, because one cookie *ONLY* works for a domin, if i want to cross another one, how could i get the same cookie for authetication ? I think that it's a good question for enterprise. Aladdin offered one solution about SessionID with URL rewriting to make autheticated for users.

OK, what's wrong about URL rewriting ?
Mmm...
I think the session tracking and maintaining is a big trouble on there and non-safe in poor mechaism with any complete re-authetication in another domain.

Well, is it any other easy solution ? Of course ! I got a idea about protocol re-build. Because i have never tried and tested, i can't release any infos ^^"


jini edited on 2003-12-06 04:09
reply to postreply to post
作者 Re:在不同的網站間分享session [Re:jini]
ingramchen

Web monkey



發文: 479
積分: 12
於 2003-12-06 06:52 user profilesend a private message to usersend email to ingramchenreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
jini wrote:
stateful session bean ?!

it still works in the same domain by clustering solution , however , aladdins' question is cross domain !

the enterprise problem for Crossing Domain Singal SignOn is "CDSSO", there are two main solutions in the world.

1. Liberty Project , u could read my first Java Opensource Newpaper.
2. MS Passport .

Both the solutions costs lots of money ! Aladdin wanna find a simple solution for solving these authetication.

Why is CDSSO happened ? From the cookie domain, because one cookie *ONLY* works for a domin, if i want to cross another one, how could i get the same cookie for authetication ? I think that it's a good question for enterprise. Aladdin offered one solution about SessionID with URL rewriting to make autheticated for users.

OK, what's wrong about URL rewriting ?
Mmm...
I think the session tracking and maintaining is a big trouble on there and non-safe in poor mechaism with any complete re-authetication in another domain.

Well, is it any other easy solution ? Of course ! I got a idea about protocol re-build. Because i have never tried and tested, i can't release any infos ^^"


喔!謝謝,我現在比較了解問題所在了。

那麼利用 SFSB 來建至一個中央 session 管理機制,模擬 identity server
,讓 EJB 去管 security 和 transaction,省的自己寫。藉由存取統一的 EJB
server ,client 也能 share 資料。我想這樣應該可行吧?

缺點是 client 只能用 java / servlet ,而且 EJB server 也太貴太複雜了,
不符需求 :-b


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:ingramchen]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-06 13:31 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
ingramchen wrote:
喔!謝謝,我現在比較了解問題所在了。

那麼利用 SFSB 來建至一個中央 session 管理機制,模擬 identity server
,讓 EJB 去管 security 和 transaction,省的自己寫。藉由存取統一的 EJB
server ,client 也能 share 資料。我想這樣應該可行吧?

缺點是 client 只能用 java / servlet ,而且 EJB server 也太貴太複雜了,
不符需求 :-b


Mm... could i ask another question

for ex. AAA.com and BBB.com

when u log in AAA.com , the AAA.com will give ur browser a sessionId(cookie with Domain AAA.com ) , and u left AAA.com to BBB.com.
the BBB.com won't know any infomations from AAA.com, how to use the session ? and how to get any SFSB ??


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:jini]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-06 13:51 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
jini wrote:
Mm... could i ask another question

for ex. AAA.com and BBB.com

when u log in AAA.com , the AAA.com will give ur browser a sessionId(cookie with Domain AAA.com ) , and u left AAA.com to BBB.com.
the BBB.com won't know any infomations from AAA.com, how to use the session ? and how to get any SFSB ??


I have heard some solution, but I am not sure if it works.

You can write a filter for some subdirectory of BBB.com, for instance, /pass, and for any incoming reference, it would be attached a cookie for BBB.com. (If you know how http header is processed, you can do it. This is call third-party cookie) Next step, every page of AAA.com would reference some pic from BBB.com under the directory /pass ( a logo or empty space gif, then the cookie was attatched to http header). When the browser remains opened, even if you type BBB.com in the address bar, you can get the cookie, and then the whole activity of AAA.com from the database.

It is a dirty trick. And there are so many variations of this technique (yes, someone can use this technique to peek your web activity, if any of the web you are viewing is within the alliance of the peeking, and somebody makes money from broadcast the Ad by this way). The problem is still CPU loading, and if you need 9 web sites to sync( and put them all on one hardware), you will get a big big big problem. The one that implements this technique, almost constructs an http server from scratch. And he uses C++, not Java. Big Smile

It is too dirty, so I think I should write this technique in English. I should ask my wife to translate these text into Deutsch. Black Eye


aladdin edited on 2003-12-06 14:00
reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
Forth



版主

發文: 676
積分: 8
於 2003-12-06 14:19 user profilesend a private message to usersend email to Forthreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
Hi aladdin,
In my understanding, I cannot figure out how that works. Could you give some more hints about what you have mentioned above?


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-06 14:41 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
aladdin wrote:
You can write a filter for some subdirectory of BBB.com, for instance, /pass, and for any incoming reference, it would be attached a cookie for BBB.com. (If you know how http header is processed, you can do it. This is call third-party cookie) Next step, every page of AAA.com would reference some pic from BBB.com under the directory /pass ( a logo or empty space gif, then the cookie was attatched to http header). When the browser remains opened, even if you type BBB.com in the address bar, you can get the cookie, and then the whole activity of AAA.com from the database.


How does it attach a cookie for BBB.com ?
I guess u still use URL rewriting mechanism for BBB.com. and using the pciture for session alive.

I don't know what third-party cookie is !
I don't think that it works and it seems impossible.


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:Forth]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-06 14:50 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
Forth wrote:
Hi aladdin,
In my understanding, I cannot figure out how that works. Could you give some more hints about what you have mentioned above?


1. cookie is part of information that was contained mainly in the http request. But for state consistency, browser would repeat the same cookie whenever it sends back the http request. That's why when you set cookie on the response part, but the same cookie can go back to you in next http request.

2. cookie is part of http header, every http request can be responsed by an http response with some cookie attached. You can rewrite the http response header as you wish ( In fact, HttpServletResponse.addCookie(javax.servlet.http.Cookie) can do this trick, for you can set the response content type to a pic format, read some pic file, put it into the stream. When you send back the response, the cookie will be attached, and this stream is displayed as a pic)

I think it should be enough. The remaining is to write a filter. You can try it yourself.

BTW, I always turn on the third-party cookie to 'Warning', so it will warn you everytime you get a third-party cookie. You can set this option under the preference of your web browser. And try a porno sites, you will understand how this tech is peeking your activity.

About information technology, the more you understand, the less you will trust.


aladdin edited on 2003-12-06 15:01
reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-06 15:24 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
I found this tech has been used on some local site, like this one. You can turn on the third party cookie warning and test.

http://www.benesse.com.tw/

程式師也有正道跟偏門,看起來,大家對於偏門的伎倆,所知不多。


aladdin edited on 2003-12-06 16:35
reply to postreply to post
作者 Re:在不同的網站間分享session [Re:jini]
ingramchen

Web monkey



發文: 479
積分: 12
於 2003-12-06 16:30 user profilesend a private message to usersend email to ingramchenreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
jini wrote:
Mm... could i ask another question

for ex. AAA.com and BBB.com

when u log in AAA.com , the AAA.com will give ur browser a sessionId(cookie with Domain AAA.com ) , and u left AAA.com to BBB.com.
the BBB.com won't know any infomations from AAA.com, how to use the session ? and how to get any SFSB ??


I mean both AAA.com and BBB.com need to access the same EJB server during authentication or data sharing. (maybe use filters to redirect).
That's why I mean both clients are restrict to java solution.
user at either AAA or BBB should use cookie to let EJB server knows
who he is and then the server chooses corresponding SFSB (programmatically).
but if without cookie, it seems it's impossible to track the user...


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-06 16:39 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
aladdin wrote:
I found this tech has been used on some local site, like this one. You can turn on the third party cookie warning and test.

http://www.benesse.com.tw/

程式師也有正道跟邪道,看起來,大家對於邪道的伎倆,所知不多。


Ha... 我原本還以為什麼 hacker or Cracker 技術
不過是利用 script 達成 rewriting ^^"


reply to postreply to post
作者 Re:在不同的網站間分享session [Re:jini]
aladdin

老婆不准我用兒子照片



發文: 175
積分: 3
於 2003-12-06 16:51 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
jini wrote:
Ha... 我原本還以為什麼 hacker or Cracker 技術
不過是利用 script 達成 rewriting ^^"


http://www.benesse.com.tw/

如果jini大大可以解釋為什麼第一次進這個頁面,你的third party cookie warning會出現三次,之後是兩次,基本上,你就完全瞭解這個技術了。

請不要使用ie來做下面的步驟,我第一次完全解開這個奧秘是用netscape。現在是download的好時間

1. 請注意看html碼裡面的東西,那個被include進來的js,是無法對cookie做任何事的(他不論怎麼執行,都在benesse.com.tw,而且那隻.js也沒有做任何cookie的動作,cookie怎麼從第三方來的?)那又是什麼讓warning發生?為什麼?還兩次?

2. 如果你追蹤這個來源,你會發現,.js後面的那個東西,也不是url rewriting,而是那個網站對那個third-party cookie的site id——因為每個人(你可以用不同的機器去看)進benesse.com.tw每次看到的都一樣。就算真的那個東西是個url rewriting 好了,用現有的技術,你怎麼讓server回一個東西是個.js,然後cookie就出現了?

3. 追蹤那隻js(ie會被擋掉,得用netscape),你可以看到最後會寫一個<img>的tag,後面會有一堆東西。那個URL要怎麼能夠即時的被分析,然後記錄在寫回的cookie?而且,是跟一個圖檔放在一起?這個部分應該各位大大都很擅長。

以上是我所知道的線索。最初告訴我這個方式的是個老外,但是看起來,國內也已經有人很擅長這個技術了。

我們可以回到原來的問題了嗎?是不是有人曾經做過在不同的網域之間,直接共享session,而不是透過redirect來redirect去,間接的分享這些資訊?


aladdin edited on 2003-12-06 17:56
reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-06 19:43 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
aladdin wrote:
http://www.benesse.com.tw/

如果jini大大可以解釋為什麼第一次進這個頁面,你的third party cookie warning會出現三次,之後是兩次,基本上,你就完全瞭解這個技術了。

請不要使用ie來做下面的步驟,我第一次完全解開這個奧秘是用netscape。現在是download的好時間

1. 請注意看html碼裡面的東西,那個被include進來的js,是無法對cookie做任何事的(他不論怎麼執行,都在benesse.com.tw,而且那隻.js也沒有做任何cookie的動作,cookie怎麼從第三方來的?)那又是什麼讓warning發生?為什麼?還兩次?

2. 如果你追蹤這個來源,你會發現,.js後面的那個東西,也不是url rewriting,而是那個網站對那個third-party cookie的site id——因為每個人(你可以用不同的機器去看)進benesse.com.tw每次看到的都一樣。就算真的那個東西是個url rewriting 好了,用現有的技術,你怎麼讓server回一個東西是個.js,然後cookie就出現了?

3. 追蹤那隻js(ie會被擋掉,得用netscape),你可以看到最後會寫一個<img>的tag,後面會有一堆東西。那個URL要怎麼能夠即時的被分析,然後記錄在寫回的cookie?而且,是跟一個圖檔放在一起?這個部分應該各位大大都很擅長。

以上是我所知道的線索。最初告訴我這個方式的是個老外,但是看起來,國內也已經有人很擅長這個技術了。

我們可以回到原來的問題了嗎?是不是有人曾經做過在不同的網域之間,直接共享session,而不是透過redirect來redirect去,間接的分享這些資訊?


It's so simple , the js is not real javascript.
well, *ONLY* knowing what <script src="xxx"> is that u will know what the technology is.
and if aladdin ever uses the stock-trading system, u will discover the all trading system cross the quote system by script src.

BTW, it's not real solution in accessing the cross domain session variable.


reply to postreply to post
My fans-page on Facebook (welcome join it )
https://www.facebook.com/EnterpriseJava
作者 Re:在不同的網站間分享session [Re:aladdin]
Forth



版主

發文: 676
積分: 8
於 2003-12-06 21:11 user profilesend a private message to usersend email to Forthreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
You know that sites exchange data using redirection. How would you exchang data between sites other than the redirection way?

reply to postreply to post
作者 Re:在不同的網站間分享session [Re:aladdin]
saijone

Web Services

版主

發文: 470
積分: 24
於 2003-12-07 01:03 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
aladdin wrote:
我的問題還是:在不同網站間的session資料分享是可行的嗎?

It is technically impossible for multiple domains to share the same cookie. Otherwise, it
must be a security flaw of your web-browser/client. Though I do not understand what
does that ‘Filter’ mean … but you certainly can intercept all the HTTP requests and
responses if the HTTP traffic is not in SSL/TLS mode. Then, you can share
it by stealing/hacking.

Encoding “something” in the URL seems to be the only one way to share “something”
among domains. And I guess the “encoding” you will do is either plain text or base64
(otherwise you also need to negotiate/share encription algorithm between websites).
So, if I can steal your “something”, I may steal everything…


那麼利用 SFSB 來建至一個中央 session 管理機制,模擬 identity server
,讓 EJB 去管 security 和 transaction,省的自己寫。藉由存取統一的 EJB
server ,client 也能 share 資料。我想這樣應該可行吧?

The EJB specs said a typical session object executes on behalf of a single client. So, are
you suggesting having multiple web-tiers access the same SFSB? (It is technically
infeasible for multiple EJB clients to share the same SFSB concurrently). However, you
could have your multiple web-apps access the same SFSB Client/Delegate, therefore
this Client/Delegate becomes a “shared” session state. But still, this does NOT solve the
problem… How can mutilple web-apps know which SFSB-Client/Delegate to be shared?

Besides ...what if web-A is built on .NET but web-B is J2EE? You know my anwser Smile
- WebServices … But in Web Services technology, state management, identification,
as well as global addressing technology have not been mature/standardized yet ...


saijone edited on 2003-12-07 01:07
reply to postreply to post
You don't need a reason to help people
作者 Re:在不同的網站間分享session [Re:saijone]
jini

SoftLeader Taiwan

版主

發文: 1266
積分: 23
於 2003-12-07 01:26 user profilesend a private message to userreply to postreply to postsearch all posts byselect and copy to clipboard. 
ie only, sorry for netscape users:-)add this post to my favorite list
saijone wrote:
It is technically impossible for multiple domains to share the same cookie. Otherwise, it
must be a security flaw of your web-browser/client. Though I do not understand what
does that ‘Filter’ mean … but you certainly can intercept all the HTTP requests and
responses if the HTTP traffic is not in SSL/TLS mode. Then, you can share
it by stealing/hacking.


I am interested in the tech about intercepting all the HTTP req/res.
Because i don't know the liberty federation how to make cross domain cookies to browser, i guess they using some other protocols or setting some infos in HTTP header. and the identity server manages the all of domains' sessions. that's my guess ^^"


reply to postreply to post
go to first page go to previous page  1   2   3   4  go to next page go to last page
» JWorld@TW »  Servlet/JSP 討論區

reply to topicthreaded modego to previous topicgo to next topic
  已讀文章
  新的文章
  被刪除的文章
Jump to the top of page

JWorld@TW 本站商標資訊

Powered by Powerful JuteForum® Version Jute 1.5.8