本文探讨了在禁用cookies的情况下如何通过嵌入URL参数实现代理登录(SSO),介绍了使用JOSSO的现状,并提出了在用户未启用cookies时进行简单检测的应急措施。同时,提到了这种方法可能带来的复杂性与安全问题,以及考虑采用简单cookie测试的建议。
I keep on facing this question from my manager how SSO will work if client disable cookies but I don't have any answer. We are currently using JOSSO for single sign on. Do we have any open source framework which support single sign on without using cooking mechanism.
解决方案
In the absence of cookies, you're going to have to embed some parameter in each url request. e.g. after logging in you assign some arbitrary id to a user and embed that in every link such as http://mydomain.com/main?sessionid=123422234235235. It could get pretty messy since every link would have to be fixed up before it went out the door which slows down your content. It also has security, logging and session history implications which are not such a huge deal when the state is in a cookie.
It may be simpler to do a simple cookie test on logged in users and send them off to an error page if they do not have cookies enabled.
扫一扫
3618
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
