我需要一个仅Http 身份验证cookie来工作：

I need an HttpOnly authentication cookie to work on:

mydomain.com
www.mydomain.com
abc.mydomain.com

这样我可以通过一个单一的登录登录到这三个地方。

so that I can be logged into all three places via a single login.

这是工作的罚款，我的cookie域设置为：

This is working fine, by setting my cookie domain to:

.mydomain.com

下面是响应报头中设置cookie：

here is the response header that sets the cookie:

MYAUTHCOOKIE=FOO; domain=.mydomain.com; path=/; HttpOnly

这一切为正常的浏览器请求的正常工作。

This all works fine for normal browser requests.

不过，我需要从 mydomain.com AJAX请求和 www.mydomain.com 到 abc.mydomain.com 。

However, I need to make an AJAX request from mydomain.com and www.mydomain.com to abc.mydomain.com.

当我提出的要求，它没有通过身份验证cookie。这是为什么，而我能做些什么呢？

When I make the request, it isn't passing the authentication cookie. Why is this, and what can i do about it?

如果我提出一个请求到同一主机JS所在的页面，它会发送cookie：■

If i make a request to the same host as the page the JS resides on, it does send the cookie :s

下面是我的要求，code：

Here's my request code:

$.ajax({
    type: "POST"
    , data: { data: { foo: bar} }
    , dataType: "json"
    , url: "http://abc.mydomain.com/foo"
    , timeout: 5000
    , success: function (data, textStatus) {
        alert('woo!');
    }
    , error: function (xhr, textStatus, error) {
        alert('meh');
    }
});

这是一些跨域策略？为什么犯规的Cookie域，使这项工作？

Is this some cross domain policy? Why doesnt the cookie domain make this work?

感谢

推荐答案

按照同源策略，子域确实是敌对到你的顶级域名，但也可以是固定设置document.domain的（同文）。

According to the same origin policy, subdomains are indeed "hostile" to your top domain, but it can be fixed by setting document.domain (same article).