"多子域SSO与跨域会话治理最佳实践"

多子域SSO与跨域会话治理最佳实践概述多子域场景下SSO需要安全的主域会话与跨域回调治理，防止滥用与会话劫持。主域Cookie策略Set-Cookie: sso_sid=<id>; Domain=.example.com; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=1800 回调白名单function isAllowedCallback(uri: string): boolean { const allow = ['https://a.example.com/cb', 'https://b.example.com/cb'] try { const u = new URL(uri); return allow.includes(u.origin + u.pathname) } catch { return false } } 令牌绑定type SsoToken = { jti: string; sub: string; sid: string; aud: string; iat: number; exp: number } function bindTokenToSid(token: SsoToken, sid: string): boolean { return token.sid === sid } 子域会话同步async function exchangeForSubdomainToken(sid: string, subaud: string): Promise<string> { const res = await fetch('https://idp.example.com/token', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ sid, aud: subaud }) }) const data = await res.json() return data.access_token } 运维要点主域Cookie采用Lax并在跨站必要回调时配合CSRF与白名单令牌绑定SSO会话ID并在子域交换短期令牌统一回调白名单与多子域的受控授权流程通过主域Cookie策略、回调白名单与令牌绑定，可在多子域架构下实现可靠的SSO与会话治理。