IIS重定向本地网站 [英] IIS Redirect Local Website
问题描述
我创建了一个包含两个页面的网站:Login.aspx和Main.aspx。在登录页面上,我正在制作一个包含用户信息的cookie,然后使用Response我将cookie发送到我收到它的主页面,如果没有收到,我将用户重定向回登录。当我从Visual Studio打开网站时,一切正常,但在我尝试将其与Microsoft IIS一起用作localhost网站后,该页面无法从登录中更改。我需要从IIS设置一些选项,还是我缺少的选项?
HttpCookie cookie = new HttpCookie( autorization);
Response.Cookies [ autorization] [ name] = name;
Response.Cookies [ autorization] [ password] = pass.ToString();
Response.Redirect( Main.aspx);
也尝试使用〜/ Main.aspx,。/ Main.aspx,/ Main.aspx,http:// ip:port / Main.aspx的完整路径。我可以通过关闭主菜单中的cookie接收并在URL栏中手动输入来访问Main,但不能通过Login中的代码(即使没有cookie)输入。
为什么它适用于Visual Studio但不适用于IIS?我应该更改什么才能使它在IIS中运行?谢谢。
/ *
我认为它可能与通过Web服务器从SQL服务器检索信息有关。我使用以下字符串:
数据源=。\SQLEXPRESS;初始目录=主;集成安全性= SSPI;
尝试使用服务器:localhost,使用ip\SQLEXPRESS,将Integrated Security设置为false。可能是我需要在SQL中设置一些内容以允许信息通过IIS,因为它只适用于Visual Studio。通过跟踪sql我看到该站点以IIS启动连接并从数据库中检索信息,但可能是它没有通过IIS传递它。
* /
/ *
问题出在SQL和ISS ApplicationPool通信中。我已经将ApplicationPool Identity更改为本地系统,并且在Logins下的SQL中我已经更改了NT AUTHORITY \ SYSTEM权限,以通过服务器角色访问特定数据库(或者如果只需要特定的数据库访问 - 通过用户映射)。现在我将Identity返回给ApplicationPoolIdentity,我正在使用带有用户名和密码的连接字符串。
* /
存储用户名和Cookie中的密码是一个非常坏主意。
每次向网站发送请求时都会发送cookie。网络上的任何人都可以拦截请求并阅读用户的凭据。
由于您没有将cookie标记为仅限HTTP,因此攻击者谁设法利用您网站中的XSS漏洞,将能够从javascript读取用户的凭据,并将其发送到自己的服务器。
不要尝试重新发明轮子。使用内置的安全功能来保护您的网站。
会员简介| MSDN [ ^ ]
ASP.NET成员和角色提供商 [ ^ ]
ASP.NET Identity | ASP.NET网站 [ ^ ]
如何构建(以及如何不构建)安全记住我功能|特洛伊亨特 [ ^ ]
I've made a site with two pages: Login.aspx and Main.aspx. On the Login page I'm making a cookie containing information about the user, then with Response I'm sending the cookie to the Main page where I receive it and if it's not received I redirect the user back to Login. When I open the the website from Visual Studio everything works, but after I tried using it with Microsoft IIS as a localhost website, the page just can't change from the Login. Is it some option I need to set from IIS, or what I'm missing?
HttpCookie cookie = new HttpCookie("autorization");
Response.Cookies["autorization"]["name"] = name;
Response.Cookies["autorization"]["password"] = pass.ToString();
Response.Redirect("Main.aspx");
Also tried using ~/Main.aspx, ./Main.aspx, /Main.aspx, full path with http://ip:port/Main.aspx. I can access Main by turning off the cookie receive in Main and typing it manually in the url bar, but not by the code from Login (even without cookie).
Why it works on Visual Studio but not on IIS? What should I change to make it works in IIS too? Thanks.
/*
I think it could be related to the retrieving of information from the SQL server through the Web server. I'm using the following string:
Data Source=.\SQLEXPRESS;Initial Catalog=master;Integrated Security=SSPI;
Tried with server:localhost, with ip\SQLEXPRESS, with Integrated Security to false. May be I need to set something in the SQL to allow the information to pass through IIS, since it's works only with the Visual Studio. With tracing the sql I saw that the site started with IIS connects and retrieve the information from the database, but may be it's not passing it through the IIS.
*/
/*
The problem was in the SQL and ISS ApplicationPool communication. I've changed ApplicationPool Identity as Local System and in SQL under Logins I've changed the NT AUTHORITY\SYSTEM permission to access the specific database through Server Role (or if needed only specific database access - through User Mapping). Now I returned the Identity to ApplicationPoolIdentity and I'm using connection string with username and password.
*/
Storing the username and password in a cookie is an EXTREMELY bad idea.
The cookie is sent with every request to the site. Anyone on the network will be able to intercept the request and read the user's credentials.
Since you haven't marked the cookie as "HTTP-only", an attacker who managed to exploit an XSS vulnerability in your site would be able to read the user's credentials from javascript, and send them to their own server.
Don't try to re-invent the wheel. Use the built-in security features to secure your site.
Introduction to Membership | MSDN[^]
ASP.NET Membership and Role Provider[^]
ASP.NET Identity | The ASP.NET Site[^]
How to build (and how not to build) a secure "remember me" feature | Troy Hunt[^]
这篇关于IIS重定向本地网站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
