【Webview相关问题】登陆失败之cookie陷阱

什么问题呢？

又是一个android独有的问题。
12306一直登陆不上，但是在某些手机上又可以。
检查请求数据，一个不查

什么原因呢？

在12306登陆的时候，会有这么个熟悉的验证码出现。

验证码及之后的交互时序图如下：

如上图，在打码完成后所发送的12306请求必须带上验证码下发的cookie A, 但实际上使用的cookie还是之前的cookie ，也就是说验证码图片下载时所下发的cookie没有存储到webview的cookieManager中。

来说说cookie

主要作用是：用户识别及状态管理，Web为了管理用户的状态会把一些数据临时写入到用户的计算机内。
上面的情况就是把用户的某一次登陆请求和前面所下发的验证码图片通过cookie来进行前后衔接。

最终原因

android5.0及以上版本 限制接受第三方cookie

如何解决？

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
        CookieManager cookieManager = CookieManager.getInstance();                  
        cookieManager.setAcceptThirdPartyCookies(mDelegate.mWebView, enable);
}

什么叫ThirdPartyCookies？

What is a (third-party) cookie?

A cookie is a small script placed on the hard drive of your computer by the server of a website that you visit. The cookie is placed there for the purpose of recognising your specific browser / computer combination, were you to return to the same site.

All cookies have an owner which tells you who the cookie belongs to. The owner is the domain specified in the cookie.

The word “party” refers to the domain as specified in cookie; the website that is placing the cookie. So, for example, if you visit widgets.com and the domain of the cookie placed on your computer is widgets.com, then this is a first-party cookie. If, however, you visit widgets.com and the cookie placed on your computer says stats-for-free.com, then this is a third-party cookie.

Opentracker provides services that allow the companies and websites to track their visitors with first-party cookies.

简单来说，每个cookie都对应有一个宿主，这个宿主就是set-cookie时候对应的域名，当你访问的是A域名页面，但是cookie的宿主是B域名。对A来说这个cookie就是ThirdPartyCookies. 阻止跨域访问也是为了安全起见。

参考：

Android WebView填坑记录
[Third-Party Cookies vs First-Party Cookies](http://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies#Difference between first and third-party cookies)