preface

As a new employee, I read the front-end development manual maintained by the team. When I read the section on Cookie usage specifications, I was curious about domains and usage scenarios. Because the previous use of cookies are basically through the JS-cookie library to operate, rarely through the browser’s native API to operate cookies. This also leads to the fact that I have not set the domain property of the cookie. I can only assume literally that this is an attribute about the scope of the cookie.

As we all know (and I didn’t know before), cookies are generated by the server and sent to the browser. The browser stores the cookie locally and carries a small piece of data with each subsequent HTTP request header from the client. Cookies are generated on the server side. 2. Each generated request carries a cookie.

Here is a request message for a CSDN article I opened:

We can find two information from Figure 1:1. The cookie itself is a very long string, and different key=value pairs pass “; “between them. Split, which we can access via document.cookie. 2. Cookies browsed in the Application are values of multiple key-value structures after processing.

With all that said, there’s one more piece of hidden and important information to add: Cookies are associated with domain names. The entire cookie is stored in the browser as a value, and its key value is the domain name.

Important properties of cookies

  1. Name

    That is, the key value of a single cookie information, which is usually used to set and obtain the data stored in the cookie.

  2. Value

    That’s the value of key.

  3. Expires/Max-Age

    The expiration time of this cookie record.

  4. Domain

    The scope of this cookie. We know that domain name is divided into many levels, such as: top-level domain name, secondary domain name, tertiary domain name and so on. The domain attribute refers to the domain name from which the cookie can be accessed. If the cookie is set to ‘.baidu.com’, all domain names ending in ‘.baidu.com’ can access this cookie. Note that the cookie must start with a ‘.’. This has the effect that the cookie can also be accessed by subdomains affiliated to.baidu.com, for example: ‘.tieba.baicu.com’.

    The effects of the domian attribute described above also provide the technical basis for implementing single sign-on. In other words, by setting cookies under the parent domain name, the cookies under the parent domain name can be obtained under multiple sub-domains, so that there is no need to log in again.

    With the complexity of a company’s business, there will be multiple front-end applications. For better maintenance, multiple applications are usually separated. User access also uses different subdomains to access different applications. Then there is a requirement for single sign-on: one application logs in once, and the other child applications do not log in.

Single sign-on (sso)

My colleague in the previous company did the single sign-on business, and I occasionally heard him say something with the back-end network. But I don’t really understand the specifics of single sign-on. What does “single sign-on” mean? Here is my understanding. The so-called single sign-on means that when a user logs in to a site such as www.baidu.com and switches to another site tieba.baidu.com, the Server of Tieba will automatically judge that the user has logged in. In turn, as long as the user logs out of Tieba.baidu.com, When you switch to www.baidu.com, the Server at the back of WWW determines that the user has logged out.

Therefore, when we log in at www.baidu.com, we can store a cookie in the.baidu.com field:

document.cookie = “userInfo=obj; path=/; domain=.baidu.com”

Then you can see the stored cookies under Tieba.baidu.com.

If you store this cookie under zhidao.baidu.com, you will not see this cookie under www.baidu.com and tieba.baidu.com, which is cookie cross domain.

conclusion

Domain indicates the domain where the cookie is located. The default domain is the requested address. For example, if the url is www.baidu.com/search, the default domain is www.baidu.com. For cross-domain access, for example, if domain A is k1.baidu.com and domain B is k2.baidu.com, the domain of the cookie that can be accessed by both domains A and B must be set to.baidu.com. To create A cookie from domain A that domain A cannot access but domain B can access, set the domain of the cookie to k2.baidu.com. Note: generally, you need to add a “.” before the domain name, such as “domain=.baidu.com”.

Refer to the article

  1. Use domain in cookies correctly
  2. Domain property of cookie