会话不会保留值并始终返回 null [英] Session would not retain values and always return null

问题描述

我有一个网站，它完全通过 HTTPS.即使有人试图通过 HTTP 访问，他也会被重定向到 HTTPS.我正在使用表单身份验证.最近我更改了一个设置以使站点更安全，之后 Session 不保留值并且总是返回 null.设置是，

I have a website, its completely over HTTPS. Even if someone tries to access over HTTP he will be redirected to HTTPS. I am using forms authentication. Recently I changed a setting to make the site more secure and after that Session is not retaining values and is always returning null. The settings are,

<httpCookies httpOnlyCookies="true" requireSSL="true"/>
<sessionState cookieless="false"/>

我不知道如何解决这个问题.我该如何解决这个问题?另外，如果我不使用此设置，我的网站是否容易受到攻击?考虑到其他一切都是安全的.

I have no idea on how to fix this issue. How do I fix this issue? Also, is my site vulnerable if I do not use this setting? consider that everything else is secure.

推荐答案

你的问题太笼统，没有很多线索，所以我可以给你一些要点继续.

You question is too general with out many clues, so I can give you some points to move on.

[1]在cookies上也设置了domain，去掉www.，这样cookie就可以被读取和设置了如果不小心丢失了 www.

[1] set also the domain on the cookies, with out the www., so the cookie can be read and set even if by mistake the www is missing.

<httpCookies domain="yourdomain.com" httpOnlyCookies="true" requireSSL="true"/>

[2] 您还需要使用类似的参数(以及您设置的其他内容)设置

[2] you also need to setup the <forms... with similar parameters (and what ever else you have set)

<forms name=".klidi" path="/" requireSSL="true" cookieless="UseCookies" 
   domain="yourdomain.com" enableCrossAppRedirects="false" 
        slidingExpiration="true" />

[3]您还需要使用类似的参数设置.

[3] you also need to setup the <roleManager with similar parameters.

<roleManager enabled="true" cacheRolesInCookie="false" cookieProtection="All" cookieSlidingExpiration="true" 
           cookieTimeout="20" domain="yourdomain.com" cookieRequireSSL="true">

最后最重要的是在您尝试设置或使用任何 cookie 之前在您的代码中设置这一行，以查看您是否错误地没有使用安全连接 https.

and last the most important set this line on your code before you try to set or use any cookie to see if by mistake you did not use secure connection https.

Debug.Assert(HttpContext.Current.Request.IsSecureConnection, "With out https, cookie will not work");

通过设置最后一行，当您创建站点时，您可以在计算机上查看并诊断问题是否来自非安全连接，因为从您将 requireSSL 设置为 true 的那一刻起，任何简单的连接都不会保存任何 cookie.

By setting the last line, on your computer when you make your site you can see and diagnose if the problem is coming from non secure connection, because from the moment you set the requireSSL to true, any simple connection will not hold any cookie.

如果 cookie 存在不安全并且您有任何冲突，请尝试清除您的 cookie，或者尝试其他浏览器.

Also try to clear your cookies in the case that the cookie exist as non secure and you have any conflict, and or try other browsers.

您还可以阅读:某些黑客可以窃取用户的 cookie 并使用该名称登录网站吗?

这篇关于会话不会保留值并始终返回 null的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！