ASP.Net FormsAuthentication Redirect 丢失 Redirect 和 Application_AuthenticateRequest 之间的 cookie [英] ASP.Net FormsAuthentication Redirect Loses the cookie between Redirect and Application_AuthenticateRequest
问题描述
我有一个 FormsAuthentication cookie,它是持久的,可在开发、测试和生产环境中独立工作.我有一个可以进行身份验证的用户,创建了用户对象,将身份验证 cookie 添加到响应中:
I have a FormsAuthentication cookie that is persistent and works independently in a development, test, and production environment. I have a user that can authenticate, the user object is created, the authentication cookie is added to the response:
'Custom object to grab the TLD from the url
authCookie.Domain = myTicketModule.GetTopLevelDomain(Request.ServerVariables("HTTP_HOST"))
FormsAuthentication.SetAuthCookie(authTicket.Name, False)
Response.SetCookie(authCookie)
用户会被稍微处理以检查首次登录、安全问题等,然后使用以下花絮重定向:
The user gets processed a little bit to check for a first time login, security questions, etc, and is then redirected with the following tidbit:
Session.Add("ForceRedirect", "/FirstTimeLogin.aspx")
Response.Redirect("~/FirstTimeLogin.aspx", True)
通过调试中断,我可以验证 cookie 集合是否包含与我为不同目的设置的身份验证无关的 cookie 和表单身份验证 cookie.然后流程的下一步发生在 global.asax 中的 ApplicationAuthenticateRequest:
With a debug break, I can verify that the cookie collection holds both a cookie not related to authentication that I set for a different purpose and the formsauthentication cookie. Then the next step in the process occurs at the ApplicationAuthenticateRequest in the global.asax:
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim formsCookieName As String = myConfigurationManager.AppSettings("FormsCookieName")
Dim authCookie As HttpCookie = Request.Cookies(formsCookieName)
此时,对于这个 ONE 用户 authCookie 什么都不是.我还有 15,000 名其他用户没有受到这种影响.然而,对于一个用户来说,cookie 会消失得无影无踪.我以前在 w3wp.exe 异常、状态服务器异常和其他与 IIS 进程相关的异常中看到过这种情况,但我在事件日志中没有发现异常.w3wp.exe 没有崩溃,状态服务器有一些超时,但它们看起来不相关(通过时间戳验证)并且它只发生在这个域上的这个用户身上(此代码用于 2 个不同的 TLD 和大约 10 个其他子域).
At this point, for this ONE user authCookie is nothing. I have 15,000 other users who are not impacted in this manner. However, for one user the cookie just vanishes without a trace. I've seen this before with w3wp.exe exceptions, state server exceptions and other IIS process related exceptions, but I'm getting no exceptions in the event log. w3wp.exe is not crashing, the state server has some timeouts but they appear unrelated (as verified by timestamps) and it only happens to this one user on this one domain (this code is used across 2 different TLDs with approximately 10 other subdomains).
我正在调查的一个途径是 cookie 可能太大了.我认为会检查进入响应的 cookie 的大小,我认为它不会以这种方式影响它.任何想法为什么请求可能会转储 cookie?
One avenue I'm investigating is that the cookie might just be too large. I would think that there would be a check for the size of the cookie going into the response, and I wouldn't think it would impact it this way. Any ideas why the request might dumping the cookie?
注意:我提到的我设置的辅助 cookie 也会被转储(而且它非常小).
NOTE: The secondary cookie I mentioned that I set also gets dumped (and it's very tiny).
编辑注意:发生这种情况时,会话令牌不会丢失.但是,由于身份验证 cookie 丢失,因此在后续登录时会忽略并替换它.
EDIT-NOTE: The session token is NOT lost when this happens. However, since the authentication cookie is lost, it is ignored and replaced on a subsequent login.
推荐答案
事实证明,转储到此特定用户的 cookie 中的 cookie 数据碰巧超出了其加密格式所允许的最大大小.未加密,数据适合,但一旦在其上运行加密,大小就会变得太大而无法处理.这导致 cookie 和在它之后添加的任何 cookie 从响应标头中删除.
It turns out that the cookie data being dumped into the cookie for this particular user happened to exceed the maximum allowed size in its encrypted format. Unencrypted, the data fit, but once the encryption was run on it the size grew too large to handle. This caused the cookie and any cookies added after it to be dropped from the response header.
减少注入 cookie 的数据量解决了这个问题.
Chopping the amount of data injected into the cookie solved the issue.
这篇关于ASP.Net FormsAuthentication Redirect 丢失 Redirect 和 Application_AuthenticateRequest 之间的 cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
