FormsAuthentication.SetAuthCookie没有设置路径或域？ [英] FormsAuthentication.SetAuthCookie not setting Path or Domain?

问题描述

我有一个Web应用程序可以在很多领域和路径进行安装。

I have a web app can be installed on lots of domains and paths.

所以：

• 的 client1Name。{mySite.com} 的


• 的 client2Name。{mySite.com} 的


• 的演示。{} mySite.com / prospect1Name 的


• 的演示。{} mySite.com / prospect2Name 的


• 的演示。{} mySite.com / prospect3Name 的

• client1Name.{mySite.com}
• client2Name.{mySite.com}
• demo.{mySite.com}/prospect1Name
• demo.{mySite.com}/prospect2Name
• demo.{mySite.com}/prospect3Name

在同一code的所有单独的应用程序实例。

All separate application instances of the same code.

问题是，如果一个客户端登录到的 client1Name。{mySite.com} 的再访问其他网站之一，他们的浏览器将发送身份验证cookie。

The problem is that if a client logs in to client1Name.{mySite.com} then visits one of the other sites their browser will send the authentication cookie.

在所有情况下 FormsAuthentication.SetAuthCookie 不设置任何的路径或域。

In all cases FormsAuthentication.SetAuthCookie doesn't set either the Path or the Domain.

我会想到的是：

• 的 {client1Name} mySite.com 的 - 域 = client1Name {mySite.com} 的路径 = / 的


• 的 {client2Name} mySite.com 的 - 域 = client2Name {mySite.com} 的路径 = / 的


• 的 {演示} mySite.com / prospect1Name 的 - 域 = 演示{mySite.com} 的路径 = / prospect1Name 的


• 的 {演示} mySite.com / prospect2Name 的 - 域 = 演示{mySite.com} 的路径 = / prospect2Name 的


• 的 {演示} mySite.com / prospect3Name 的 - 域 = 演示{mySite.com} 的路径 = / prospect3Name 的

• client1Name.{mySite.com} - Domain = client1Name.{mySite.com} Path = /
• client2Name.{mySite.com} - Domain = client2Name.{mySite.com} Path = /
• demo.{mySite.com}/prospect1Name - Domain = demo.{mySite.com} Path = /prospect1Name
• demo.{mySite.com}/prospect2Name - Domain = demo.{mySite.com} Path = /prospect2Name
• demo.{mySite.com}/prospect3Name - Domain = demo.{mySite.com} Path = /prospect3Name

我可以手动覆盖的.Net的行为明确地设置这些，但我不知道为什么我应该需要 - 确保设置身份验证Cookie或至少一个选项，可以在不重新进行设置时，这应该是默认的行为 - 写入它的大块。

I can manually override .Net's behaviour to explicitly set these, but I'm not sure why I should need to - sure this should be the default behaviour when setting an authentication cookie or at least an option that can be set without re-writing big chunks of it.

我缺少的东西吗？有没有一些方法，使 FormsAuthentication.SetAuthCookie 设置路径和域？

Am I missing something? Is there some way to make FormsAuthentication.SetAuthCookie set the Path and Domain?

如果没有什么是动态读过的最好的路径和域的最佳方式？同样的code的在所有网站上运行，我不希望添加更多的配置项。

If not what is the best way to dynamically read the best Path and Domain? The same code has to run on all sites and I don't want to add a further configuration key.

更新

下面是我目前的解决方案：

Here is my current solution:

// replacement for FormsAuthentication.SetAuthCookie(user.UserName, false);
// as that fails to limit the cookie by domain & path and fails.

var cookie = FormsAuthentication.GetAuthCookie(username, false);
cookie.HttpOnly = true;
cookie.Path = this.Request.ApplicationPath;
cookie.Secure = string.Equals("https", this.Request.Url.Scheme, StringComparison.OrdinalIgnoreCase);

// the browser will ignore the cookie if there are fewer than two dots
// see cookie spec - http://curl.haxx.se/rfc/cookie_spec.html
if (this.Request.Url.Host.Split('.').Length > 2)
{
    // by default the domain will be the host, so www.site.com will get site.com
    // this may be a problem if we have clientA.site.com and clientB.site.com
    // the following line will force the full domain name
    cookie.Domain = this.Request.Url.Host;
}

this.Response.Cookies.Add(cookie);

然而，这似乎想了很多变通的东西的 FormsAuthentication.SetAuthCookie 应该是能够做到的。这真的是最好的方式？

However, that seems like a lot of workaround for something FormsAuthentication.SetAuthCookie should be able to do. Is this really the best way?

推荐答案

我已经做了很多挖的，但是看起来像的原因 FormsAuthentication.SetAuthCookie 不支持，这是因为它的不应该的 - IIS应的从不的有关身份验证cookie设置路径，这里的原因...

I've had to do a lot of digging, but is looks like the reason FormsAuthentication.SetAuthCookie doesn't support this is because it shouldn't - IIS should never set paths on authentication cookies, and here's why...

的Cookie路径的区分大小写的，因此：

Cookie paths are case-sensitive, so:

• 的http：//网站/路径


• 的http：//网站/ PATH

• http://site/path
• http://site/PATH

对于浏览器的2个不同的饼干 - 他们没有（IE，FX，Safari浏览器，歌剧或Chrome）将发送 / PATH 的cookie来 /路径，反之亦然。

Are 2 different cookies for the browser - none of them (IE, FX, Safari, Opera or Chrome) will send /PATH's cookie to /path or vice versa.

IIS是的区分大小写的，但总是会重置的URL ASP应用程序名称的情况。

IIS is case-insensitive, but will always reset the URL to the ASP application name's case.

这意味着，如果IIS应用程序被称为路，用户进入的http：//网站/路径那么他们将被重定向到登录在上的http：//网站/ PATH / LogOn支持RETURNURL = /路径由IIS / ASP.Net

This means that if the IIS application is called "PATH" and the user goes to http://site/path then they will be redirected to log-on at http://site/PATH/LogOn?ReturnUrl=/path by IIS/ASP.Net

在一个成功的登录用户被重定向回 RETURNURL 指定，因此：

After a successful log-on the user gets redirected back to the ReturnUrl specified, so:

1. 用户进入的http：//网站/路径


2. 被发送到的http：//网站/ PATH / LogOn支持RETURNURL = /路径由IIS


3. 进入登录的详细信息，并提交


4. 响应设置cookie来 / PATH 和位置，如<$ C $定义 /路径（ C> RETURNURL ）


5. 重定向到的http：//网站/路径


6. 浏览器不能识别 /路径，只对 / PATH 等一个cookie送什么！


7. 无Cookie发送到应用程序，所以它提供重定向回的http：//网站/ PATH / LogOn支持RETURNURL = /路径


8. 转到步骤2和重复。

1. User goes to http://site/path
2. Gets sent to http://site/PATH/LogOn?ReturnUrl=/path by IIS
3. Enters log-on details and submits
4. Response sets the cookie to /PATH and the location to /path (as defined by ReturnUrl)
5. Redirected back to http://site/path
6. Browser doesn't recognise /path, it only has a cookie for /PATH and so sends nothing!
7. No cookie sent to application, so it serves a redirect back to http://site/PATH/LogOn?ReturnUrl=/path
8. Go to step 2 and repeat.

这对用户产生了一个问题，如果他们有的http：//网站/路径作为URL的他们将永远不会出现能够登录应用程序。

This creates a problem for users if they have http://site/path as the URL for the application they will never appear to be able to log-on.

继这一点，如果他们已经登录到的http：//网站/ PATH 和被发送的URL，比如电子邮件发送到 HTTP：//网站/路径/资源/ ID ，他们会被问到登录一遍，将无法获得新路径

Further to this if they're already logged on to http://site/PATH and get sent a URL, say an email to a http://site/path/resource/id, they will get asked to log on all over again and won't be able to get to the new path.

这意味着，除非你需要 / PATH 和 /路径是完全不同的网站（可能性不大以外的某些UNIX只有环境）你不应该设置身份验证Cookie路径属性。

This means that unless you need /PATH and /path to be completely different sites (unlikely outside certain UNIX only environments) you should never set the path property on authentication cookies.

这篇关于FormsAuthentication.SetAuthCookie没有设置路径或域？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！