FormsAuthentication.SetAuthCookie没有设置路径或域? [英] FormsAuthentication.SetAuthCookie not setting Path or Domain?
问题描述
我有一个Web应用程序可以在很多领域和路径进行安装。
I have a web app can be installed on lots of domains and paths.
所以:
- 的 client1Name。{mySite.com} 的
- 的 client2Name。{mySite.com} 的
- 的演示。{} mySite.com / prospect1Name 的
- 的演示。{} mySite.com / prospect2Name 的
- 的演示。{} mySite.com / prospect3Name 的
- client1Name.{mySite.com}
- client2Name.{mySite.com}
- demo.{mySite.com}/prospect1Name
- demo.{mySite.com}/prospect2Name
- demo.{mySite.com}/prospect3Name
在同一code的所有单独的应用程序实例。
All separate application instances of the same code.
问题是,如果一个客户端登录到的 client1Name。{mySite.com} 的再访问其他网站之一,他们的浏览器将发送身份验证cookie。
The problem is that if a client logs in to client1Name.{mySite.com} then visits one of the other sites their browser will send the authentication cookie.
在所有情况下 FormsAuthentication.SetAuthCookie
不设置任何的路径
或域
。
In all cases FormsAuthentication.SetAuthCookie
doesn't set either the Path
or the Domain
.
我会想到的是:
- 的 {client1Name} mySite.com 的 -
域
= client1Name {mySite.com} 的路径
= / 的 - 的 {client2Name} mySite.com 的 -
域
= client2Name {mySite.com} 的路径
= / 的 - 的 {演示} mySite.com / prospect1Name 的 -
域
= 演示{mySite.com} 的路径
= / prospect1Name 的 - 的 {演示} mySite.com / prospect2Name 的 -
域
= 演示{mySite.com} 的路径
= / prospect2Name 的 - 的 {演示} mySite.com / prospect3Name 的 -
域
= 演示{mySite.com} 的路径
= / prospect3Name 的
- client1Name.{mySite.com} -
Domain
= client1Name.{mySite.com}Path
= / - client2Name.{mySite.com} -
Domain
= client2Name.{mySite.com}Path
= / - demo.{mySite.com}/prospect1Name -
Domain
= demo.{mySite.com}Path
= /prospect1Name - demo.{mySite.com}/prospect2Name -
Domain
= demo.{mySite.com}Path
= /prospect2Name - demo.{mySite.com}/prospect3Name -
Domain
= demo.{mySite.com}Path
= /prospect3Name
我可以手动覆盖的.Net的行为明确地设置这些,但我不知道为什么我应该需要 - 确保设置身份验证Cookie或至少一个选项,可以在不重新进行设置时,这应该是默认的行为 - 写入它的大块。
I can manually override .Net's behaviour to explicitly set these, but I'm not sure why I should need to - sure this should be the default behaviour when setting an authentication cookie or at least an option that can be set without re-writing big chunks of it.
我缺少的东西吗?有没有一些方法,使 FormsAuthentication.SetAuthCookie
设置路径
和域
?
Am I missing something? Is there some way to make FormsAuthentication.SetAuthCookie
set the Path
and Domain
?
如果没有什么是动态读过的最好的路径
和域
的最佳方式?同样的code的在所有网站上运行,我不希望添加更多的配置项。
If not what is the best way to dynamically read the best Path
and Domain
? The same code has to run on all sites and I don't want to add a further configuration key.
更新
下面是我目前的解决方案:
Here is my current solution:
// replacement for FormsAuthentication.SetAuthCookie(user.UserName, false);
// as that fails to limit the cookie by domain & path and fails.
var cookie = FormsAuthentication.GetAuthCookie(username, false);
cookie.HttpOnly = true;
cookie.Path = this.Request.ApplicationPath;
cookie.Secure = string.Equals("https", this.Request.Url.Scheme, StringComparison.OrdinalIgnoreCase);
// the browser will ignore the cookie if there are fewer than two dots
// see cookie spec - http://curl.haxx.se/rfc/cookie_spec.html
if (this.Request.Url.Host.Split('.').Length > 2)
{
// by default the domain will be the host, so www.site.com will get site.com
// this may be a problem if we have clientA.site.com and clientB.site.com
// the following line will force the full domain name
cookie.Domain = this.Request.Url.Host;
}
this.Response.Cookies.Add(cookie);
然而,这似乎想了很多变通的东西的 FormsAuthentication.SetAuthCookie
应该是能够做到的。这真的是最好的方式?
However, that seems like a lot of workaround for something FormsAuthentication.SetAuthCookie
should be able to do. Is this really the best way?
推荐答案
我已经做了很多挖的,但是看起来像的原因 FormsAuthentication.SetAuthCookie
不支持,这是因为它的不应该的 - IIS应的从不的有关身份验证cookie设置路径,这里的原因...
I've had to do a lot of digging, but is looks like the reason FormsAuthentication.SetAuthCookie
doesn't support this is because it shouldn't - IIS should never set paths on authentication cookies, and here's why...
的Cookie路径的区分大小写的,因此:
Cookie paths are case-sensitive, so:
-
的http://网站/路径
-
的http://网站/ PATH
http://site/path
http://site/PATH
对于浏览器的2个不同的饼干 - 他们没有(IE,FX,Safari浏览器,歌剧或Chrome)将发送 / PATH
的cookie来 /路径
,反之亦然。
Are 2 different cookies for the browser - none of them (IE, FX, Safari, Opera or Chrome) will send /PATH
's cookie to /path
or vice versa.
IIS是的区分大小写的,但总是会重置的URL ASP应用程序名称的情况。
IIS is case-insensitive, but will always reset the URL to the ASP application name's case.
这意味着,如果IIS应用程序被称为路,用户进入的http://网站/路径
那么他们将被重定向到登录在上的http://网站/ PATH / LogOn支持RETURNURL = /路径
由IIS / ASP.Net
This means that if the IIS application is called "PATH" and the user goes to http://site/path
then they will be redirected to log-on at http://site/PATH/LogOn?ReturnUrl=/path
by IIS/ASP.Net
在一个成功的登录用户被重定向回 RETURNURL
指定,因此:
After a successful log-on the user gets redirected back to the ReturnUrl
specified, so:
- 用户进入
的http://网站/路径
- 被发送到
的http://网站/ PATH / LogOn支持RETURNURL = /路径
由IIS - 进入登录的详细信息,并提交
- 响应设置cookie来
/ PATH
和位置,如<$ C $定义/路径
( C> RETURNURL ) - 重定向到
的http://网站/路径
- 浏览器不能识别
/路径
,只对/ PATH
等一个cookie送什么! - 无Cookie发送到应用程序,所以它提供重定向回
的http://网站/ PATH / LogOn支持RETURNURL = /路径
- 转到步骤2和重复。
- User goes to
http://site/path
- Gets sent to
http://site/PATH/LogOn?ReturnUrl=/path
by IIS - Enters log-on details and submits
- Response sets the cookie to
/PATH
and the location to/path
(as defined byReturnUrl
) - Redirected back to
http://site/path
- Browser doesn't recognise
/path
, it only has a cookie for/PATH
and so sends nothing! - No cookie sent to application, so it serves a redirect back to
http://site/PATH/LogOn?ReturnUrl=/path
- Go to step 2 and repeat.
这对用户产生了一个问题,如果他们有的http://网站/路径
作为URL的他们将永远不会出现能够登录应用程序。
This creates a problem for users if they have http://site/path
as the URL for the application they will never appear to be able to log-on.
继这一点,如果他们已经登录到的http://网站/ PATH
和被发送的URL,比如电子邮件发送到 HTTP://网站/路径/资源/ ID
,他们会被问到登录一遍,将无法获得新路径
Further to this if they're already logged on to http://site/PATH
and get sent a URL, say an email to a http://site/path/resource/id
, they will get asked to log on all over again and won't be able to get to the new path.
这意味着,除非你需要 / PATH
和 /路径
是完全不同的网站(可能性不大以外的某些UNIX只有环境)你不应该设置身份验证Cookie路径属性。
This means that unless you need /PATH
and /path
to be completely different sites (unlikely outside certain UNIX only environments) you should never set the path property on authentication cookies.
这篇关于FormsAuthentication.SetAuthCookie没有设置路径或域?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!