更新时间:2023-10-08 21:51:46
好,经过多次不同的迭代后,与:
publicToken
, nextTabId
。 privateToken
, tabId
。 publicToken
是上次登录操作在所有标签页中返回的令牌。 privateToken
是当前选项卡上次登录操作返回的令牌。 tabId
。 nextTabId
是可在所有标签之间访问的号码。 nextTabId
创建一个新的标签,并增加其值。 X
,其中 X
是 nextTabId
返回的数字。 privateToken
和
privateToken
和 publicToken
在浏览器端, privateToken
。我们不会在服务器端删除 publicToken
。 privateToken
?当您在新窗口或标签中打开链接时,它会继承父标签的 privateToken
。 publicToken
在服务器上,使用 privateToken
X, publicToken
Y会导致 privateToken
Y的选项卡被注销(这是不可取的)。 tabId
查询参数附加到URL。参数值等于 tabId
的值。 tabId
URL参数从当前页使用 history.replaceState() ,以便用户可以与他们的朋友分享链接( tabId
是用户特定的,无法共享)。 tabId
cookie(以下详述)。 tabId
cookie,并跟随该链接。 tabId
的值,并且值等于 privateToken
tabId
参数,请将浏览器重定向到 GetTabId.html?referer = X
X
是当前URL。 tabId
令牌无效或过期,然后将浏览器重定向到登录屏幕。 privateToken
,请复制 publicToken
privateToken
和。 privateToken
referer
的网址参数 c> c> $ 参数重定向以从浏览器历史记录中删除 GetTabId.html
时使用.replace()
。 tabId
Cookie,则每次制作标签时 tabId
的URL。因此,它获取重定向到 GetTabId.html
而不是实际页面的页面的源代码。 GetTabId.html
并返回原始页面)。对长期实施细节深表歉意,但我找不到更简单/更短的解决方案。
I'm trying to implement an authentication mechanism where each browser tab may be logged in as a different user.
Here are the rules of this system:
What I've tried so far:
Using cookies
for both the private and public tokens: this doesn't work because the server has no way of knowing which cookie to look in. If a user clicks on a link from inside a tab, the request sends all cookies across all tabs and the server has no way of knowing which one clicked on the link.
Storing private tokens in sessionStorage
: This doesn't work because when a user clicks on a link, there is no way to specify custom headers that should be sent alongside the HTTP GET request.
Requesting the page using AJAX, then navigating to the page in memory using Data URIs: For security reasons, Internet Explorer doesn't allow the use of DATA URIs for HTML content. See http://msdn.microsoft.com/en-us/library/cc848897%28v=vs.85%29.aspx
Using <form method="get" enctype="multipart/form-data">
and passing the token using hidden fields: enctype="multipart/form-data" is only supported for POST.
Using <form method="post" enctype="multipart/form-data">
and passing the token using hidden fields: in theory, this should work but now the user gets prompted to re-submit form data if he uses the back/forward button.
Requesting the page using AJAX, then rewriting the current page using document.open(); document.write(); document.close()
. I tried both http://***.com/a/4404659/14731 and http://forums.mozillazine.org/viewtopic.php?p=5767285&sid=d6a5a2e8e311598cdbad124e277e0f52#p5767285 and in both cases the scripts in the new <head>
block never gets executed.
Any ideas?
Okay, after going through many different iterations, here is the implementation we ended up with:
publicToken
, nextTabId
.privateToken
, tabId
.publicToken
is the token returned by the last login operation, across all tabs.privateToken
is the token returned by the last login operation of the current tab.tabId
.nextTabId
is a number that is accessible across all tabs.nextTabId
and increments its value.tabId
could have a value of "com.company.TabX
" where X
is the number returned by nextTabId
.privateToken
and publicToken
are overwritten using the authentication token returned by the server.privateToken
and publicToken
on the browser side, and privateToken
on the server side. We do not delete publicToken
on the server side.privateToken
will get logged out as well. Any tabs using a different token will be unaffected.privateToken
? When you open a link in a new window or tab, it inherits the privateToken
of the parent tab.publicToken
on the server, a tab logging out with privateToken
X, publicToken
Y would cause tabs with privateToken
Y to get logged out (which is undesirable).tabId
query parameter to the URL. The parameter value is equal to the value of tabId
.tabId
URL parameter from the current page using history.replaceState() so users can share links with their friends (tabId
is user-specific and cannot be shared).tabId
cookie (more on this below).tabId
cookie and follows the link.tabId
and a value equal to the value of privateToken
tabId
parameter is missing, then redirect the browser to GetTabId.html?referer=X
where X
is the current URL.tabId
is present but the authentication token is invalid or expired, then redirect the browser to the login screen.privateToken
, copy publicToken
into privateToken
.privateToken
and publicToken
are undefined, redirect to the login page.referer
which indicates where to redirect to on success.privateToken
, append the tabId
parameter to the referer
page and redirect back to it.window.location.replace()
when redirecting to remove GetTabId.html
from the browser history.tabId
cookie on page load, then each time a tab would make a request all of the other tabs' cookies would get sent as well.tabId
. As result, it gets the source-code of the page which redirects to GetTabId.html
instead of the actual page.GetTabId.html
and back to the original page).Apologies for the long implementation details, but I could not find an easier/shorter solution.