OWIN安全AuthenticationHandler中的多个cookie问题 [英] Multiple cookies issue in OWIN security AuthenticationHandler

问题描述

我正在使用Facebook Owin身份验证，并且或多或少遵循Microsoft示例.我或多或少地跟随着第一次用户登录，一切正常.但是，如果他们注销并重试，则似乎未删除以前的.AspNet.Correlation.Facebook，而是将其设置为空字符串.因此，我在Fiddler中对api/getexternallogin的下一个调用如下所示:

I am using Facebook Owin Authentication and more or less follow Microsoft sample. I am more or less following the First time user logs in, everything is ok. But if they sign out and try again, it seems like the previous .AspNet.Correlation.Facebook is not removed, but set to empty string. So my next call to api/getexternallogin looks like this in Fiddler:

这是当我们生成一个correlationId且此时具有多个cookie时不是显示停止器.在响应中，我将其设置为新的CorrelationId:

This is when we are generating a correlationId and having multiple cookies at this point is not a show stopper. In the response, I set it to the new CorrelationId:

稍后，当facebook回调到"/signin-facebook"时，我们尝试在ValidateCorrelationId方法中验证correlationId.该请求看起来像这样:

Later when facebook calls back to "/signin-facebook", we try to validate the correlationId in ValidateCorrelationId method. The request seems like this:

因此，已经设置了新的CorrelationId，但是没有值的额外cookie意味着当我转到Request.Cookies ["ValidateCorrelationId"]时，它将返回空字符串.

So the new CorrelationId has been set but the extra cookie with no value means when I go Request.Cookies["ValidateCorrelationId"], it returns empty string.

我已经检查了代码，似乎修改此cookie的唯一方法是GenerateCorrelationId和ValidateCorrelationId.这些方法的实现可以在这里找到:

I have checked the code and it seems like the only methods modifying this cookie are GenerateCorrelationId and ValidateCorrelationId. Implementation of these methods can be found in here:

http://katanaproject.codeplex .com/SourceControl/latest#src/Microsoft.Owin.Security/Infrastructure/AuthenticationHandler.cs

奇怪的是，我的浏览器似乎没有看到该问题:

Curiously enough, my browser does not seem to see the issue:

任何想法都会受到赞赏.

Any ideas will be much appreciated.

推荐答案

好的，这让我很沮丧，但是当在ValidateCorrelationId方法中调用Response.Cookies.Delete(.AspNet.Correlation.Facebook")时，它发送以下响应:

OK this has taken me a fair bit of frustration but when Response.Cookies.Delete(".AspNet.Correlation.Facebook") is called in ValidateCorrelationId method, it sends the following in response:

因此，"expires"的值已连接在一起，并视为两个单独的"set-cookie".因此，cookie不会过期，但其值设置为空字符串.似乎是星期四"引起的逗号.

So the value of "expires" has been concatenated and treated as two separate "set-cookie"s. Hence, the cookie is not expired but its value set to empty string. It seems like the comma after "Thu" is causing it.

我想出的解决方法是将Response.Cookies.Delete(.AspNet.Correlation.Facebook")注释掉，然后执行以下操作:

The fix I have come up with was to comment out Response.Cookies.Delete(".AspNet.Correlation.Facebook") and do the following instead:

Response.Headers.Add("Set-Cookie", new[] { CorrelationKey + "=; path=/; expires=Fri 02-Jan-1970 00:00:00 GMT" })

那里没有逗号，并且现在可以正常工作.

No commas there and it is working now.

这似乎是OWIN中的一个真正的错误.

This does seem like a genuine bug in OWIN.

这篇关于OWIN安全AuthenticationHandler中的多个cookie问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！