JP2011257810A - Relay server device, cookie control method and cookie control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To properly execute writing processing of cookie information even when accessing from a browser to a web application via a relay server.SOLUTION: A relay server 10 replaces a substitution for a Set-Cookie in a response header from a web server 20 or a document.cookie in a script with a call of a setCookieFunc function, and adds into an HTML document. And a browser 30 performs an URI substitution on an ancestor domain with the relay server, and creates an iframe element for displaying a URI added a file name which is reserved in a directory with a cookie path designation. And the browser 30 provides a cookie setting instruction from a master frame to a domain of a slave frame by performing cross domain communication such as a postMessage on the created iframe. The cookie setting is performed in association with the ancestor domain on the iframe side.

Description

  The present invention relates to a relay server device, a cookie control method, and a cookie control program.

  2. Description of the Related Art In recent years, a technique related to cookies in which a Web server temporarily writes and stores cookie information on a client computer through a browser is known. It is known that the cookie information stored in this way is shared and used when the ancestor domains of a plurality of domains accessed by the browser are common. For example, the domain `` sso.example.com '' and the domain `` ap1.example.com '' have the same ancestor domain `` example.com '', and the browser that accessed `` sso.example.com '' and `` ap1.example.com ''. Share and use cookie information with the browser that accessed "example.com".

  Here, a process for sharing and using a cookie when an ancestor domain is common will be described using the example of FIG. FIG. 14 is a diagram illustrating processing for sharing a cookie when an ancestor domain is common. For example, as shown in FIG. 14, when the user performs a login process with the web application “sso.example.com” from the browser A of the client device, a cookie set instruction with the designation of the ancestor domain “example.com” is displayed. It is transmitted from the Web server to browser A. In the example of FIG. 14, an HTTP (Hypertext Transfer Protocol) response including a Set-Cookie header of “Set-Cookie: sid = 1234; domain = .example.com” is transmitted from the Web server to the browser A as a cookie setting instruction. Is done.

  Upon receiving the cookie set instruction “Set-Cookie: sid = 1234; domain = .example.com”, the browser A identifies the ancestor domain “example.com” and associates it with the ancestor domain “example.com”. Write the cookie information “sid = 1234”.

  The cookie written in this way is stored in association with the ancestor domain “.example.com”, so even when accessing “ap1.example.com” as well as “sso.example.com” , Send cookies. For example, after the login process to “sso.example.com”, when the user accesses “ap1.example.com” from the browser B, the cookie “Cookie” sent in the login process to “sso.example.com” : sid = 1234 "is transmitted to the Web server as an HTTP request header.

  In some cases, a relay server that replaces a Uniform Resource Identifier (URI) is provided between the Web server and the client device. Specifically, the relay server replaces the URI by replacing the dot “.” In the domain part of the URI with a hyphen “-” and adding the host name of the relay server. For example, referring to the example of FIG. 14, when the host name of the relay server is “r.test”, the relay server changes “sso.example.com” to “http-sso-example-com. Replace with “r.test” and replace “ap1.example.com” with “http-ap1-example-com.r.test”.

JP 2009-271676 A

  However, in the above-described technology in which the relay server replaces the URI, the domain part of the URI is replaced. Therefore, the parent-child relationship of the domain disappears, cookie sharing becomes impossible, and the cookie information writing process is appropriately executed. There was a problem that I could not.

  For example, in the example of FIG. 14, “sso.example.com” is replaced with “http-sso-example-com.r.test”, and “ap1.example.com” is “http-ap1-example-com. “example.com”, which is an ancestor domain, is replaced with “http-example-com.r.test”. Here, on the browser side, the dot is a hyphen, so the ancestor domains of "http-sso-example-com.r.test" and "http-ap1-example-com.r.test" are "http- "example-com.r.test" cannot be specified. For this reason, the parent-child relationship of the domain disappears, and the cookie information writing process of the ancestor domain cannot be appropriately executed.

  An object of one aspect is to appropriately execute cookie information writing processing even when a Web application is accessed from a browser via a relay server.

  In the first proposal, when the cookie write instruction information for the browser is received from the server, the cookie write instruction information is replaced with script call information. Then, a script for creating a frame corresponding to the ancestor domain of the request destination domain of the browser and adding a cookie write instruction corresponding to the ancestor domain to the frame is added to the script call information.

  Even when a Web application is accessed from a browser via a relay server, cookie information writing processing can be appropriately executed.

FIG. 1 is a block diagram illustrating the configuration of the relay server device according to the first embodiment. FIG. 2 is a diagram illustrating a cookie writing process. FIG. 3 is a diagram illustrating a cookie reading process. FIG. 4 is a sequence diagram illustrating the flow of the cookie writing process performed by the relay server device according to the first embodiment. FIG. 5 is a sequence diagram illustrating the flow of the cookie reading process performed by the relay server device according to the first embodiment. FIG. 6 is a block diagram illustrating the configuration of the relay server device according to the second embodiment. FIG. 7 is a diagram illustrating an example of a request for image data received by the relay server. FIG. 8 is a diagram illustrating an example of image data in which a cookie having an ancestor domain name is added to a header. FIG. 9 is a diagram illustrating an example of data stored in the data beta of the temporary storage unit. FIG. 10 is a sequence diagram illustrating the flow of the image cookie process performed by the relay server device according to the second embodiment. FIG. 11 is a flowchart illustrating a process flow of the relay server device according to the second embodiment. FIG. 12 is a flowchart illustrating a process flow of the relay server device according to the second embodiment. FIG. 13 is a diagram illustrating a computer that executes a cookie writing / reading program. FIG. 14 is a diagram illustrating processing for sharing a cookie when an ancestor domain is common.

  Exemplary embodiments of a relay server device, a cookie control method, and a cookie control program according to the present invention will be described below in detail with reference to the accompanying drawings.

  In the following embodiments, the configuration and processing flow of the relay server according to the first embodiment will be described in order, and finally the effects of the first embodiment will be described.

[Configuration of relay server]
First, the configuration of the relay server 10 will be described with reference to FIG. FIG. 1 is a block diagram illustrating the configuration of the relay server 10 according to the first embodiment. As shown in FIG. 1, the relay server 10 includes a request determination unit 11, a relay unit 12, and a cookie operation page return unit 13, and is connected to a Web server 20 and a browser 30 of a user terminal. The processing of each of these units will be described below.

  When accessed from the browser 30 of the user terminal via the relay server 10, the Web server 20 sends information such as an HTML (HyperText Markup Language) document or image to the browser 30 of the accessing user terminal. The response is transmitted via the relay server 10. The browser 30 transmits a request to the Web server 20 via the relay server 10 and receives a response to the request from the Web server 20 via the relay server 10.

  The request determination unit 11 determines whether the request path has a specific file name (for example, “CookieHandler.html”), and when the request path has a specific file name, the request determination unit 11 is a request to the cookie operation page. Is determined. Specifically, the request determination unit 11 receives a request from the browser, detects the path portion of the request, and whether the file name of the path matches a specific file name (for example, “CookieHandler.html”). judge.

  As a result, the request determination unit 11 detects the path part of the request, and when determining that the path file name matches the specific file name, notifies the request to the cookie operation page return unit 13 described later. Further, the request determination unit 11 detects the path portion of the request, and when determining that the file name of the path does not match the specific file name, notifies the relay unit 12 described later of the URI.

  For example, for the request whose request path is “/CookieHandler.html” or “/dir1/dir2/CookieHandler.html”, the request determination unit 11 notifies the cookie operation page return unit 13 of the request.

  Further, the request determination unit 11 notifies the relay unit 12 of a request for a request whose request path is “/” or “/CookieHandler.html/dir/”. The specified file name such as “CookieHandler.html” can be set freely by the relay server, and may be a different file name or a file name that is not used by other Web servers. .

  The relay unit 12 relays communication between the Web server 20 and the browser 30 of the user terminal, and includes a request proxy unit 12a, a URI replacement unit 12b, a cookie replacement unit 12c, and a script addition unit 12d.

  The URI replacement unit 12 b replaces the URI of the browser 30 when receiving a response to the browser 30 from the Web server 20. Specifically, the URI replacement unit 12b replaces the dot “.” In the domain part of the URI received from the Web server 20 with a hyphen “-” and adds the host name “r.test” of the relay server.

  For example, when receiving “http://sso.example.com” from the Web server 20, the URI replacing unit 12b replaces it with “http: //http-sso-example-com.r.test”. When the URI replacement 12b receives "http: //http-sso-example-com.r.test/login/login" from the browser 30, the "http://sso.example.com/login/login" To the request charge back part 12a.

  When receiving the request received from the browser 30 of the user terminal, the request proxy unit 12a interprets the domain in the request and transmits the request to the Web server. Specifically, the request proxy unit 12a receives a URI from the URI replacement unit 12b, and transmits a request to the Web server 20 using the received URI.

  The cookie replacement unit 12c replaces the cookie write instruction information with the call information of the script when the cookie write instruction information for the browser 30 is received from the Web server 20. Specifically, the cookie replacement unit 12c determines whether the response from the Web server 20 includes substitution to document.cookie in the Set-Cookie header or Java (registered trademark) Script. As a result, if it is determined that the response from the Web server 20 includes an assignment to the Set-Cookie header or document.cookie in the script, the set.Cookie header or document.cookie in the script is set to the setCookieFunc function. Replace with a call to.

  The script addition unit 12d adds a script for creating a frame corresponding to the ancestor domain of the domain of the browser 20 to the script call information and instructing the frame to write a cookie corresponding to the ancestor domain by cross-domain communication. To do. For example, the script adding unit 12d adds the definition of the setCookieFunc function to the HTML document after the cookie replacing unit 12c replaces the call with the setCookieFunc function.

  Further, the script adding unit 12d adds a script for creating an iframe element in which the directory path of the ancestor domain frame is the same as the path directory of the destination frame of the response from the browser 20.

  For example, the script adding unit 12d has a parent frame “http://sso.example.com/login/login” and “Set-Cookie: sid = 1234; domain = .example.com; path = /”. When a cookie is sent, the URI of the iframe is “http: //http-example-com.r.test/login/CookieHandler.html”. That is, the directory of the ancestor domain frame path and the directory of the destination frame path are aligned with “/ login /”. As a result, even when a domain or path is specified by assignment to document.cookie in the Set-Cookie header or JavaScript, the cookie can be appropriately processed.

  In addition, the script adding unit 12d adds a script that creates a frame corresponding to the ancestor domain and causes the frame to acquire a cookie of the ancestor domain and transmit the cookie to the parent frame by cross domain communication at regular intervals. .

  For example, when a response of an HTML document is received from the Web server 20, a reading script for copying a cookie from an ancestor domain is added to the HTML document.

  The cookie operation page return unit 13 returns a cookie operation page composed of HTML and script stored in the relay server 10. Here, the cookie operation page is assumed to be read in an iframe in the browser 30 and reads / writes a cookie across domains. The cookie operation page may include logic for maintaining security in cross-domain communication.

  Here, the cookie writing process will be specifically described with reference to FIG. As shown in FIG. 2, when the relay server 10 receives the Set-Cookie of the response header from the Web server 20 or the substitution of document.cookie in the script, the relay server 10 replaces the header or script with a call to the setCookieFunc function. , SetCookieFunc function is added to the HTML document. For example, the relay server 10 sets the header of Set-Cookie: sid = 1234; domain = .example.com; path = / to a script of setCookieFunc (“sid = 1234; domain = .example.com; path = /”). Replace and send to browser 30.

  When the setCookieFunc function is called, the browser 30 determines whether an ancestor domain is specified. As a result, when the browser 30 determines that the ancestor domain is not specified, the browser 30 registers the cookie contents in document.cookie to register the browser cookie. If the browser 30 determines that an ancestor domain is specified, the browser 30 replaces the ancestor domain with a relay server, and adds a reserved file name CookieHandler.html to the same directory as the parent frame. Iframe element is displayed, and CookieHandler.html is acquired from the relay server 10.

  Thereafter, the browser 30 performs cross-domain communication such as postMessage on the created iframe and issues a cookie setting instruction from the parent frame to the child frame domain. In the script in CookieHandler.html on the iframe side that received the instruction, check whether the instruction source is a descendant domain. As a result, when the instruction source is a descendant domain, a cookie set to the ancestor domain is performed by substituting the contents of the cookie into document.cookie on the iframe side.

  Next, the cookie reading process will be specifically described with reference to FIG. There are two cases in which the cookie reading process is performed: a case in which a browser adds a Cookie header to an HTTP request, and a case in which a script reads document.cookie. As illustrated in FIG. 3, the relay server 10 acquires an HTML document from the Web server 20 in response to a request from the browser 30.

  Then, the relay server 10 adds a cookie reading script to the acquired HTML document and transmits it to the browser 30. Thereafter, a reading script is executed on the browser 30 to create an iframe element for reading CookieHandler.html in the ancestor domain of the original domain.

  For example, when the browser 30 displays http: //http-ap1-example-com.r.test/dir1/dir2/file.html, the ancestor domain is ap1.example.com because the original domain is ap1.example.com. It is one of the domains that is example.com. Since the directory is / dir1 / dir2 /, an iframe for reading http: //http-example-com.r.test/dir1/dir2/CookieHandler.html is created. Depending on the domain, the number of iframes created may be zero or multiple.

  Then, after reading CookieHandler.html from the relay server 10, the browser 30 sends a cookie acquisition instruction to the iframe by cross-domain communication. CookieHandler.html script on iframe side confirms the sender of cross domain communication and confirms whether it is communication from descendant domain.

  As a result, when it is confirmed that the communication is from the descendant domain, the value of document.cookie is read by the script. Cookies that can be read here can be read from CookieHandler.html corresponding to the domain and path.

  Then, the contents of the cookie are transmitted to the parent frame by cross-domain communication. The parent frame confirms that the source of the cross-domain communication is the ancestor domain, and substitutes the contents of the cookie in document.cookie so that the ancestor domain cookie can be used in the parent frame domain. After that, in order to maintain cookie consistency, the cookie to be assigned to the document.cookie of the parent frame is set to expires short, and the cookie reading between frames is repeated at regular intervals. Thereby, it is possible to read a cookie corresponding to the designated path that is an ancestor domain.

[Processing by relay server]
Next, a cookie writing process by the relay server 10 according to the first embodiment will be described with reference to FIG. FIG. 4 is a sequence diagram illustrating the flow of the cookie writing process performed by the relay server device according to the first embodiment. In the following example, when login processing is performed at http://sso.example.com/login/, a response header of Set-Cookie: sid = 1234; domain = .example.com; path = / is returned And

  As shown in FIG. 4, the relay server 10 receives a login request from the browser 30 (step S101). For example, in the initial state, the browser 30 opens http://sso.example.com/login/ at http: //http-sso-example-com.r.test/login/ via the relay server 10. When the user name and password in the input form are input and the login button is pressed, the browser 30 transmits a login request to http: //http-sso-example-com.r.test/login/login.

  Subsequently, the relay server 10 allocates processing to the relay unit 12 because the request determination unit 11 of the relay server has a path / login / login different from “CookieHandler.html”. Then, the URI replacement unit 12b of the relay unit 12 restores the URI and obtains a URI of http://sso.example.com/login/login (step S102).

  Then, the request proxy unit 12a of the relay unit 12 transmits a request to the Web server 20 (step S103). Subsequently, when the Web server 20 checks the user name and password and can confirm the validity, the Web server 20 sends a response with the Set-Cookie: sid = 1234; domain = .example.com; path = / header to the relay server. 10 is returned (step S104).

  Thereafter, the relay server 10 performs URI replacement, cookie replacement, and script addition on the response returned from the Web server 20 (step S105). For example, the relay server 10 sets the header of Set-Cookie: sid = 1234; domain = .example.com; path = / as a cookie replacement setCookieFunc (“sid = 1234; domain = .example.com; path = /” ) Script.

  Then, the relay server 10 transmits a response in which the URI replacement, the cookie replacement, and the script addition are performed to the browser 30 (Step S106). Then, the browser 30 creates an iframe with the added script (step S107). Here, since the ancestor domain of sso.example.com is only one of example.com and the path is / login / login, the URI of the created iframe is http: //http-example-com.r .test / login / CookieHandler.html

  Then, the request determination unit 11 of the relay server 10 receives the request with the URI “http: //http-example-com.r.test/login/CookieHandler.html” from the iframe of the browser 30 (step S108). Then, the request determination unit 11 assigns a process to the cookie operation page return unit 13 because the file name of the path is CookieHandler.html. Subsequently, the cookie operation page return unit 13 returns a cookie operation page to the client (step S109).

  After that, when the setCookieFunc function is called on the browser 30 side, for http: //http-example-com.r.test/login/CookieHandler.html of iframe corresponding to .example.com of the specified domain A cookie set request is sent by cross-domain communication (step S110). Then, the iframe that has received the cross domain communication checks the validity of the cross domain communication source. In the example of Fig. 4, the source domain is http-sso-example-com.r.test, the iframe domain is http-example-com.r.test, and the parent-child relationship in the domain before replacement Therefore, it is judged to be appropriate. If it is determined to be valid, the iframe side executes a script of document.cookie = “sid = 1234; path = /” to set a cookie (step S111).

  Next, a cookie reading process by the relay server 10 according to the first embodiment will be described with reference to FIG. FIG. 5 is a sequence diagram illustrating the flow of the cookie reading process performed by the relay server device according to the first embodiment. In the following example, a case where application app1 is used after the login process described with reference to FIG. 4 will be described. When app1 accesses http://app1.example.com/sso/, SSO authentication is performed.

  As shown in FIG. 5, the browser 30 accesses http://app1.example.com/ via the relay server 10 and makes a request to http: //http-app1-example-com.r.test/. Send (step S201). The request determination unit 11 of the relay server 10 allocates request processing to the relay unit 12 because / in the path part is different from CookieHandler.html.

  Then, the URI replacement unit 12b of the relay unit 12 restores the URI to http://app1.example.com/ (step S202). Subsequently, when the request proxy unit 12a sends a request to the restored URI (step S203), the request proxy unit 12a receives a response from the Web server 20 (step S204).

  Then, the relay server 10 performs URI replacement, cookie replacement, and script addition on the response returned from the Web server 20 (step S205). Here, since the response does not include the Set-Cookie header or assignment to document.cookie in the script, cookie substitution is not performed. Thereafter, the relay server 10 transmits a response to the browser 30 (step S206).

  Then, the browser 30 creates an iframe with the added script (step S207). Since the ancestor domain of app1.example.com is only one of “example.com” and the path is “/”, the URI of the created iframe is http: //http-example-com.r. It becomes test / CookieHandler.html. Then, the iframe in the browser transmits a request with this URI to the relay server 10 and reads /CookieHandler.html (step S208).

  Then, since the path is /CookieHandler.html, the request determination unit 11 allocates processing to the cookie operation page return unit 13. The cookie operation page return unit 13 returns the cookie operation page to the client (step S209). Subsequently, the parent frame of the browser issues a cookie acquisition request to the iframe by cross-domain communication (step S210). On the iframe side, confirm that the source of cross-domain communication is a descendant domain of the iframe domain, refer to the document.cookie property, and save the browser 30 in the / path of the http-example.com.r.test domain The cookie being read is read (step S211). For example, the cookie with sid = 1234 is read by referring to document.cookie.

  The iframe transmits the read cookie to the parent frame http: //http-app1-example-com.r.test/ by cross-domain communication (step S212). In the parent frame, it is confirmed whether the communication source of the cross domain communication is an ancestor domain, and the contents of the cookie are substituted into the document.cookie property (step S213). This allows the ancestor domain cookies to be read in the parent frame domain. Further, for the consistency of cookies, steps S210 to S213 are repeatedly executed by a timer or the like.

  When the user clicks the link for SSO displayed on the browser 30 (step S214), the browser 30 sends a request to http: //http-app1-example-com.r.test/sso/. Try to send (step S215). Here, since the cookie of the ancestor domain is copied, the browser 30 sends a request with Cookie: sid = 1234 assigned as the cookie.

  When receiving a request, the request determination unit 11 of the relay server 10 allocates request processing to the relay unit 12 because the path is / sso / and not /CookieHandler.html. The URI replacement unit 12b of the relay unit 12 restores the URI to http://app1.example.com/sso/ (step S216), and the request proxy unit 12a sends a request with a header of Cookie: sid = 1234 to http: // Send to app1.example.com/sso/ (step S217). Thereafter, the Web server 20 performs SSO authentication by looking at the sid value of the cookie. As a result, SSO authentication across domains is normally performed even via the relay server 10.

[Effect of Example 1]
As described above, when the relay server 10 relays a response from the Web server 20 to the browser 30, the relay of the request is replaced. When the relay server 10 receives cookie write instruction information for the browser 10 from the Web server 20, the relay server 10 replaces the cookie write instruction information with script call information. Thereafter, the relay server 10 adds a script for creating a frame corresponding to the ancestor domain of the request destination domain of the browser 30 to the replaced script call information. Further, the relay server 10 adds a script for transmitting a cookie write instruction corresponding to the ancestor domain to the frame by cross-domain communication. For this reason, even when accessing a Web application from a browser via a relay server, it is possible to appropriately execute a process of writing cookie information.

  Further, according to the first embodiment, the relay server 10 further adds a script for making the directory path of the ancestor domain frame the same as the directory of the destination frame path of the response received from the browser 30. For this reason, even when a domain or path is specified by substitution in the Set-Cookie header or document.cookie in JavaScript, the iframe path directory is aligned with the parent frame path directory. As a result, it is possible to appropriately execute the process of writing the cookie information corresponding to the ancestor domain and the specified path.

  According to the first embodiment, the relay server 10 receives a response from the Web server 20 to the browser 30. The relay server 10 adds a script that creates a frame corresponding to the ancestor domain, causes the frame to acquire a cookie of the ancestor domain, and transmits the cookie to the reception destination frame of the response by cross-domain communication. For this reason, it is possible to appropriately execute the cookie information reading process.

  Further, according to the first embodiment, the relay server 10 performs a process of acquiring a cookie of the ancestor domain in a frame corresponding to the ancestor domain and transmitting the cookie to the reception destination frame of the response by cross domain communication at regular intervals. Add the script to be used. For this reason, it is possible to maintain consistency of the ancestor domain.

  By the way, in the above-described first embodiment, the case where HTML / JavaScript has a Set-Cookie header and converted to a script to perform cookie read / write processing has been described. However, the present embodiment is limited to this. Cookie write processing is performed even when a Set-Cookie header is attached to an image or the like.

  For example, in order to read “http://www.example.com/image.jpg” via the relay server, the browser transmits an HTTP request as illustrated in FIG. 7 to the Web server. Then, the Web server adds a cookie “key = value; domain = .example.com; path = /” with an ancestor domain designation to the header, and sends a response as illustrated in FIG. 8 to the browser via the relay server. To do.

  First, the configuration of the relay server 10A according to the second embodiment will be described. As illustrated in FIG. 6, the relay server 10 </ b> A is different from the relay server 10 illustrated in FIG. 1 in that it newly includes an image cookie processing unit 14. In the relay server 10A, the image cookie processing unit 14 includes a URI replacement unit 14a, a response creation unit 14b, and a temporary storage unit 14c.

  As in the first embodiment, the request determination unit 11 requests the cookie operation page return unit 13 for requests whose request path is “/CookieHandler.html” or “/dir1/dir2/CookieHandler.html”. To be notified. Similarly to the first embodiment, the request determination unit 11 notifies the relay unit 12 of a request for a request whose request path is “/” or “/CookieHandler.html/dir/”. In addition, the request determination unit 11 notifies the image cookie processing unit 14 of a request that includes SetCookieWithRedirection = true in the URI query parameter.

  The URI replacement unit 14 a replaces the domain part of the URI received from the Web server 20 and restores the domain part of the URI received from the browser 30. Specifically, the URI replacement unit 14a replaces the dot “.” In the domain portion of the URI received from the Web server 20 with a hyphen “-” and adds the host name “r.test” of the relay server.

  The response creation unit 14b transmits the URI, which is the storage destination in which the cookie included in the cookie write instruction information is written, to the browser 30 as a redirect destination. Specifically, the response creation unit 14b acquires one arbitrary cookie from cookies stored in the database, and transmits a redirect to a URI that can set the cookie to the browser.

  Then, when there is a request for the redirect destination from the browser 30, the response creating unit 14 b creates a response that sends the cookie to the browser 30 and requests the redirect destination again. The response creation unit 14b returns the response body stored in the temporary storage unit 14c to the browser 30 when there is a request for the redirect destination from the browser 30 again.

  The temporary storage unit 14c, when the response body included in the response from the server to the browser is not HTML or JavaScript, but includes cookie write instruction information with an ancestor domain specification, the cookie and response included in the cookie write instruction information Memorize the body.

  Specifically, the temporary storage unit 14c, as shown in FIG. 9, “id”, which is a uniquely assigned value, “token”, which is a value generated by a random number, and the set of resp1r in FIG. -"Cookies", which is a cookie with an ancestor domain specified in the Cookie header, is stored in association with each other. Further, as illustrated in FIG. 9, the temporary storage unit 14 c associates “respBody” that is a response body of image data with “returnTo” that is a URI obtained by restoring the URI of the request from the browser 30 to the Web server 20. Remember.

  Next, processing performed by the relay server 10A according to the second embodiment will be described with reference to FIGS. FIG. 10 is a sequence diagram illustrating the flow of the image cookie process performed by the relay server device according to the second embodiment. FIG. 11 is a flowchart illustrating a process flow of the relay server device according to the second embodiment. FIG. 12 is a flowchart illustrating a process flow of the relay server device according to the second embodiment.

  As shown in FIG. 10, in order for the browser 30 to read http://www.example.com/image.jpg via a relay server, http: //http-www-example-com.r.test/image.jpg A request is sent to (step S301). Then, the relay server 10A relays the request and sends the request to http://www.example.com/image.jpg (step S302).

  Then, the Web server 20 adds the cookie key = value; domain = .example.com; path = / with the ancestor domain designation to the header and returns the image data (step S303). When the relay server 10A determines that there is no HTML or JavaScript cookie set instruction and there is an ancestor domain designation, the relay server 10A delegates the processing to the image cookie processing unit 14. Then, the image cookie processing unit 14 adds a new line to the temporary storage unit 14c and writes the data (step S304).

  Thereafter, the response creation unit 14b takes out one arbitrary cookie from the cookies stored in the temporary storage unit 14c. For example, in the example of FIG. 9, since only one cookie is stored in the cookies column, key = value; domain = .example.com; path = / is extracted. The relay server 10 returns to the browser 30 a redirect to http: //http-example-com.r.test/? SetCookieWithRedirection = true & id = 1234 & token = 0306, which is a URI that can set the extracted cookie (step S305). Note that the query parameter SetCookieWithRedirection = true in this URI can be arbitrarily set by the relay server in the same way as CookieHandler.html that appeared in the first embodiment. Also, the relay server can freely set the parameter names of id and token.

  The browser 30 resends the request to http: //http-example-com.r.test/? SetCookieWithRedirection = true & id = 1234 & token = 0306 (step S306). Since the request determination unit 11 of the relay server 10 includes SetCookieWithRedirection = true in the query parameter of the requested URI, the request determination unit 11 passes the processing to the response creation unit 14b of the image cookie processing unit 14.

  The response creation unit 14b acquires the id parameter and the token parameter of the request, and acquires a line in which both match from the temporary storage unit 14c. When the URI of the request transmitted in step S306 is restored, the domain and path are example.com and /. When a cookie that can be set with this domain and path is searched from the cookies column, key = value; domain = .example.com; path = / matches. For this reason, the response creation unit 14b deletes the cookie after acquiring it from the temporary storage unit 14c (step S307).

  Then, the response creation unit 14b of the relay server 10 adds a query parameter by replacing the value of the returnTo column with a URI because there is no cookie remaining in the cookies column. Then, the acquired cookie is attached to the header and a redirect to the URI is returned to the browser (step S308). Thereafter, the browser 30 replaces example.com according to the header of Set-Cookie: key = value; domain = .http-www-example-com.r.test; path = / http-www-example-com.r Set cookies in the .test domain.

  Then, the browser 30 resends the request with the URI specified in step S308 (step S309). Then, the request determination unit 11 of the relay server 10 passes the processing to the image cookie processing unit 14 because the request parameter includes SetCookieWithRedirection = true.

  The response creation unit 14 acquires the id parameter and the token parameter of the request, and acquires a row in which both match from the temporary storage unit 14c. Since the cookies column is empty in step S307, the value of respBody is acquired and the row is deleted from the temporary storage unit 14c (step S310). Thereafter, the response creation unit 14 creates a response with respBody and returns it to the browser 30 (step S311).

  Next, the flow of processing by the relay server according to the second embodiment will be described with reference to FIGS. 11 and 12. FIG. 11 and FIG. 12 are flowcharts illustrating the flow of processing by the relay server device according to the second embodiment. As illustrated in FIG. 11, when the relay server 10A receives the response (Yes at Step S401), the relay server 10A determines whether the response from the Web server 20 is HTML or JavaScript (Step S402).

  As a result, when the relay server apparatus 10A determines that the response is HTML or Javascript (Yes in step S402), as described in the first embodiment, the relay server apparatus 10A replaces the cookie set instruction with a call to the setCookieFunc function (step S402). S403). Then, the relay server device 10A does not include the assignment to the Set-Cookie header or document.cookie in the response (No in step S402), and if there is a Set-Cookie header, is there a domain designation? Determination is made (step S404).

  As a result, when the ancestor domain is designated (Yes at Step S404), the relay server device 10A performs a cookie reading process and a line deletion process (described later in detail with reference to FIG. 12) (Step S405). If there is no ancestor domain designation (No at Step S404), the relay server device 10A replaces the cookie domain that was originally included in the header (Step S406).

  Next, cookie reading processing and line deletion processing by the relay server 10A will be described using FIG. As shown in FIG. 12, a cookie of the same domain is added to the response header (step S501), and a new line is created for the temporary storage unit 14c (step S502).

  Then, the response creation unit 14b of the relay server 10A determines whether there is a cookie in the cookies column of the temporary storage unit 14c (step S503). As a result, when there is a cookie in the cookies column of the temporary storage unit 14c (Yes at Step S503), the response creation unit 14b acquires one cookie from the cookies column (Step S504). Then, the redirect is transmitted to the browser 30 to the URI that can set the acquired cookie (step S505).

  Thereafter, after waiting for the next request (step S506), the relay server 10A acquires all cookies that can be set with the current URI from among the cookies in the cookies column, deletes the cookies from the column, and adds them to the response header. (Step S507). And it returns to step S503 and repeats the process of step S504-S507 until there is no cookie in the cookies column of the temporary storage part 14c. Thereafter, when there is no cookie in the cookies column of the temporary storage unit 14c (No at Step S503), the value of the returnTo column is acquired (Step S508).

  Then, the acquired cookie is attached to the header and a redirect to the URI is returned to the browser (step S509). Thereafter, the relay server 10 waits for the request (step S510), acquires the id parameter and the token parameter of the request, acquires a line in which both match from the temporary storage unit 14c, reads the value of respBody, and reads the line. It deletes (step S511).

  As described above, according to the second embodiment, when the response body included in the response from the Web server 20 to the browser 30 includes cookie writing instruction information instead of HTML or JavaScript, the relay server 10A includes cookie writing instruction information. Are stored in the temporary storage unit 14c. Then, the relay server 10A transmits the URI in which the cookie included in the cookie write instruction information is written to the browser 30 as a redirect destination. Subsequently, when there is a request for a redirect destination from the browser 30, the relay server 10 </ b> A transmits a cookie to the browser 30 and creates a response that requests the redirect destination again. Thereafter, when the request for the redirect destination is received again from the browser 30, the relay server 10 </ b> A returns the response body stored in the temporary storage unit 14 c to the browser 30. For this reason, the relay server 10A can cause the browser 30 to appropriately process the cookie even if the image includes a Set-Cookie.

  Although the first and second embodiments have been described so far, the present invention may be implemented in various different forms other than the above-described embodiments. Therefore, another embodiment will be described below as a third embodiment.

(1) System Configuration, etc. Further, each component of each illustrated apparatus is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, the script adding unit 12d may be distributed into a writing script adding unit and a reading script adding unit. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(2) Program When the processing of the relay server 10 in FIG. 1 is executed by a program, an information processing apparatus (computer) as shown in FIG. 13 is used. 13 includes a central processing unit (CPU) 1401, a memory 1402, an input device 1403, an output device 1404, an external storage device 1405, a medium driving device 1406, and a network connection device 1407, which are connected to each other. Yes.

  The memory 1402 includes, for example, a read only memory (ROM), a random access memory (RAM), and the like, and stores programs and data used for processing. The CPU 1401 performs the same processing as the relay server by executing a program using the memory 1402.

  The input device 1403 is, for example, a keyboard, a pointing device, and the like, and is used for inputting instructions and information from an operator. The output device 1404 is, for example, a display, a printer, a speaker, or the like, and is used for outputting an inquiry to the operator and a processing result.

  The external storage device 1405 is, for example, a magnetic disk device, an optical disk device, a magneto-optical disk device, a tape device, or the like. The information processing apparatus stores programs and data in the external storage device 1405, and loads them into the memory 1402 for use as necessary.

  The medium driving device 1406 drives a portable recording medium 1408 and accesses the recorded contents. The portable recording medium 1408 is an arbitrary computer-readable recording medium such as a memory card, a flexible disk, an optical disk, and a magneto-optical disk. The operator stores programs and data in the portable recording medium 1408, and loads them into the memory 1402 for use as necessary.

  The network connection device 1407 is connected to a communication network such as the Internet, and performs data conversion accompanying communication with the client and each target server. Further, the information processing apparatus receives programs and data from an external apparatus via the network connection apparatus 1407 as necessary, and loads them into the memory 1402 for use.

10, 10A relay server 11 request determination unit 12 relay unit 12a request proxy unit 12b URI replacement unit 12c cookie replacement unit 12d script addition unit 13 cookie operation page return unit 14 image cookie processing unit 14a URI replacement unit 14b response creation unit 14c temporary storage Part

Claims (7)

A resource identifier replacement unit that replaces the resource identifier of the request when a response from the server to the browser is relayed;
A cookie replacement unit that replaces the cookie writing instruction information with script call information when receiving the cookie writing instruction information for the browser from the server;
For the script call information replaced by the cookie replacement unit, a frame corresponding to the ancestor domain of the request destination domain of the browser is created, and a cookie write instruction corresponding to the ancestor domain is transmitted to the frame by cross-domain communication. A writing script adding unit for adding a script to be transmitted;
A relay server device characterized by comprising:   2. The script according to claim 1, wherein the writing script adding unit further adds a script that makes a directory of a path of a frame of the ancestor domain the same as a directory of a path of a destination frame of a response from the browser. Relay server device.   A read script adding unit for creating a frame corresponding to the ancestor domain and adding a script for causing the frame to read a cookie of the ancestor domain and transmitting the cookie to the destination frame of the response by cross-domain communication; The relay server device according to claim 1, wherein   The reading script adding unit adds a script that causes a cookie of an ancestor domain to be acquired in a frame corresponding to the ancestor domain and that the cookie is transmitted to the reception destination frame of the response by cross domain communication at regular intervals. The relay server device according to claim 1, wherein the relay server device is a relay server device. When the response body included in the response from the server to the browser is image information and includes cookie write instruction information, the cookie storage stores the cookie and response body included in the cookie write instruction information in the storage unit And
A redirect destination transmission unit that transmits the storage destination information in which the cookie included in the cookie writing instruction information is written to the browser as a redirect destination;
When there is a request for the redirect destination from the browser, the cookie is transmitted to the browser, and a response creation unit that creates a response to request the redirect destination again;
When there is a request for the redirect destination from the browser again, a response body reply unit that returns the response body stored in the storage unit to the browser;
The relay server device according to claim 1, further comprising: A URI replacement step for replacing the resource identifier of the request when a request for the server is received from the browser;
A cookie replacement step of replacing the cookie write instruction information with script call information when receiving cookie write instruction information for the browser from the server;
For the script call information replaced by the cookie replacement step, a frame corresponding to the ancestor domain of the request destination domain of the browser is created and a cookie write instruction corresponding to the ancestor domain is transmitted to the frame by cross-domain communication. A writing script adding step for adding a script to be transmitted;
Cookie control method characterized by including. A URI replacement procedure for replacing the resource identifier of the request when a request for the server is received from the browser;
A cookie replacement procedure for replacing the cookie write instruction information with script call information when receiving cookie write instruction information for the browser from the server;
For the script call information replaced by the cookie replacement procedure, a frame corresponding to the ancestor domain of the request destination domain of the browser is created and a cookie write instruction corresponding to the ancestor domain is transmitted to the frame by cross-domain communication. Write script addition procedure to add the script to send,
A cookie control program for causing a computer to execute.

Images