为什么从一个站点登录的ASP.NET Identity与同一台计算机上的不同站点共享? [英] Why do ASP.NET Identity logins from one site get shared with different websites on the same machine?

问题描述

我创建一个全新的Web应用程序，例如"WebApplication1"-身份验证设置为个人用户帐户"的WebForms.我不会在自动生成的代码模板中添加一行代码.我运行该应用程序并注册用户"User1"并登录-正常.

I create a brand new web application say "WebApplication1" - WebForms with Authentication set to Individual User Account. I don't add a single line of code to the auto generated code template. I run the application and register a user "User1" and log in - works fine.

现在，我创建另一个Web应用程序"WebApplication2"-将身份验证设置为个人用户帐户"的相同WebForm.再次没有代码，我运行该应用程序.现在，我创建另一个用户，说"User2"-正常.

Now I create another web application "WebApplication2" - same WebForms with Authentication set to Individual User Account. Again no code and I run the application. Now I create another user say "User2" - works fine.

两个应用程序同时运行时，问题开始. 如果我以"User1"身份登录到第一个站点，则当它甚至没有注册"User1"时，也会自动将"webApplication2"中第二个站点的Context.User.Identity设置为"User1"，反之，如果我登录从一个站点注销，另一个站点注销.

The problem starts when both the applications are running at the same time. If I log in to the first site as "User1" this automatically sets the Context.User.Identity of the second site from "webApplication2" as "User1" when it does not even have "User1" registered and vice verse and if I log out from one site the other gets logged out.

如何共享Context.User.Identity?

How is it that Context.User.Identity is being shared?

代码是一样的-

public static void SignIn(UserManager manager, ApplicationUser user, bool isPersistent){  

      IAuthenticationManager authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
        authenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);

        var identity = manager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
        authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
    }

我肯定缺少有关ASP.Net Identity如何工作的一些基本知识，请帮帮我.

I sure am missing some basic knowledge on how ASP.Net Identity works so please help me out.

谢谢.

推荐答案

如果您的服务器配置为使用Cookie身份验证，则服务器将向浏览器返回一个cookie，其中包含有关用户的加密和签名声明.

If your server is configured to use Cookie Authentication the server will return a cookie to the browser containing encrypted and signed claims about the user.

此Cookie的默认名称为:.AspNet.ApplicationCookie.

This cookie is by default named: .AspNet.ApplicationCookie.

此cookie将一直存储在您的浏览器中，直到它过期(默认为14天，并且有效期届满)，或者您明确退出后会删除该cookie.

This cookie will be stored in your browser until it expire (default 14 days and sliding expiry) or you explicitly sign out which deletes the cookie.

如果打开另一个具有相同浏览器类型的选项卡或窗口，则在登录后，它也将具有相同的cookie，并在向两个网站中的任何一个发送请求时将其传递给它.

If you open another tab or window of the same browser type, after you have logged in, it will also have the same cookie and pass it when sending requests to either of your two web sites.

如果两个站点都配置为查找相同的cookie名称，则它们都将看到该cookie名称，并且能够共享身份验证cookie，因为它们共享同一台计算机，因此服务器将使用该计算机密钥来加密/解密并签署Cookie. cookie中没有任何内容可以告诉它属于同一服务器中的哪个站点，因此存储在您的网站WebApplication1中的"User1"声明将被视为已在WebApplication2上进行了身份验证. 如果传入请求中存在有效的cookie，OWIN身份验证中间件将不会检查数据库.它将仅使用Cookie中显示的加密声明(用户名，可能的角色及其他).

If both sites are configured to look for the the same cookie name they will both see it and be able to decrypt the authentication cookie as they share the same machine and thus the machine key which is used by the server to encrypt/decrypt and sign the cookie. There's nothing in the cookie telling which site within the same server it belongs to, so the "User1" claim which is stored in your website WebApplication1 will be regarded as authenticated on WebApplication2. The OWIN authentication middleware will not check the database if there is a valid cookie in an incoming request. It will simply use the presented encrypted claims (username, possibly roles and other) in the cookie.

如果您在两个Web应用程序中对CookieName进行了不同的设置，则它们将不会使用相同的身份验证Cookie，因此在一个站点中进行身份验证的用户将不会在另一个站点上进行身份验证.

If you set the CookieName differently on in your two webapplications they will not use the same authentication cookie and hence a user authenticated in one site will not be authenticated on the other.

您可以像这样在Startup.Auth.cs中设置CookieName:

You can set the CookieName in your Startup.Auth.cs like this:

public partial class Startup
{
    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        // Enable the application to use a cookie to store information for the signed in user
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            CookieName = "MyCookieName",

        });
    }
}

这篇关于为什么从一个站点登录的ASP.NET Identity与同一台计算机上的不同站点共享?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！