Mac Safari在刷新登录屏幕时随机重新创建cookie。非常奇怪 [英] Mac Safari randomly recreating cookie when I refresh my login screen. Very bizarre

问题描述

我们在我们的应用程序中发现了一个问题，Mac上的Safari会从已注销的会话中随机重新创建登录Cookie。

We have found an issue in our app where Safari on the Mac randomly recreates a login cookie from a logged off session.

我有一个具有此行为的提档存档此处。请注意，一些东西已从中移除，以便更容易获取，但没有设置cookie或任何东西已被取出 - 只重复的请求3-8。

I have a fiddler archive with this behaviour here. Note that some stuff has been removed from this to make it easier to get, but nothing which sets a cookie or anything has been taken out - only repetitions of requests 3-8.

我将通过运行顺序告诉您

I'll talk you through the running order

• 请求1：用户通过调用退出/logout.aspx - Set-Cookie


• 请求2-8：用户刷新登录页面，将呼叫发送到root或/res/en-US/s.js - 没有cookie发送到服务器，接收回来，并且拒绝访问。


• 请求9：请求/res/en-US/s.js - Hv3身份验证cookie有神秘的重新出现！ Wat。有没有设置cookie！ WTFF！


• 请求10+：现在cookie重新出现，网站在AGAIN中记录用户

• Request 1: user logs out via call to /logout.aspx - Set-Cookie returned setting cookie expiry date to 1999
• Requests 2-8: user refreshes login page sending calls to root or /res/en-US/s.js - no cookie is sent to server or received back, and access is denied. I have cut out a lot of requests of this nature from the log as they are boring
• Request 9: request for /res/en-US/s.js - Hv3 authentication cookie has mysteriously reappeared! Wat. There was NO set-cookie! WTFF!
• Request 10+ : now the cookie has reappeared, the site logs the user in AGAIN

在Safari中检查时，Cookie看起来像

The cookie, when examined in Safari looks like

<dict>
    <key>Created</key>
    <real>259603523.26834899</real>
    <key>Domain</key>
    <string>.mysite.dev</string>
    <key>Expires</key>
    <date>2010-03-24T16:05:22Z</date>
    <key>HttpOnly</key>
    <string>TRUE</string>
    <key>Name</key>
    <string>.Hv3</string>
    <key>Path</key>
    <string>/</string>
</dict>

需要注意的一点是，在Safari中，Cookie域是.mysite.dev而不是mysite.dev （这是在web.config中指定的cookie域） - 但是，鉴于请求2-8中的访问被拒绝，它看起来像cookie已过期确定。如果您在2-8期间在浏览器中查看Cookie列表，则.Hv3 cookie不存在。

One thing to note is that in Safari, the cookie domain is .mysite.dev not mysite.dev (which is the cookie domain specified in web.config) - however, given that access is denied in requests 2-8, it looks like the cookie has expired OK. If you look in the list of cookies in the browser during 2-8, the .Hv3 cookie is not there.

这是我们的错误还是Safari？

Is this our bug or Safari's? What can I do to stop it happening?

推荐答案

某些浏览器cookie处理有一些已知的问题。

There are known problems with certain browsers cookie handling.

请参阅以下文件：
iSEC清理Cookie后

另请参阅在Apple.com上关于重新出现Cookie的情况的讨论。

这篇关于Mac Safari在刷新登录屏幕时随机重新创建cookie。非常奇怪的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！