以编程方式在ASP.NET MVC中为每个用户设置Cookie域 [英] Programmatically set cookie domain per user in ASP.NET MVC
问题描述
我有一个ASP.NET MVC Web应用程序,该应用程序需要能够为每个用户设置auth cookie的域,而不是在整个Web应用程序的web.config中进行设置.
I have an ASP.NET MVC web app that needs to be able to set the auth cookie's domain per user, rather than setting it in the web.config for the entire web application.
这是我当前设置的内容:
Here is what I currently have set:
<httpCookies domain=".mydomain.com" />
场景1
当用户首次访问该网站时,他们在www.mydomain.com上.如果他们登录到我们网站的主要部分,则他们将保留在www.mydomain.com上,该登录名为:
When a user first comes to the site, they are on www.mydomain.com. If they login to the main section of our site, they will stay on www.mydomain.com, the login will call:
FormsAuthentication.SetAuthCookie(user.Id + "|"
+ user.EmailAddress + "|"
+ user.Role.ToString()
, true);
...并且cookie将会正确设置,因为www.mydomain.com与.mydomain.com的cookie域匹配,一切都很好.
...and the cookie will be set correctly, as www.mydomain.com matches the cookie domain of .mydomain.com, all is well.
场景2
用户还可以注册自己的网站部分,即companyname.mydomain.com.在这种情况下,如果他们从www.mydomain.com或companyname.mydomain.com登录,则cookie会设置得很好,再次匹配.mydomain.com的cookie域.
The user can also register for their own section of our site, which would be companyname.mydomain.com. Under this scenario, if they login from either www.mydomain.com or companyname.mydomain.com, the cookie will be set fine, as again, it matches the cookie domain of .mydomain.com.
方案3(问题)
但是,用户可以选择将自己的域名指向我们的网站,并使其镜像到他们访问companyname.mydomain.com时看到的内容.因此,假设他们注册了域名companyname.com,将其A记录指向我们的服务器,然后在我们的网站上指定他们希望其网址为companyname.com而不是companyname.mydomain.com.他们去了companyname.com,它显示了我们网站上他们部分的登录页面.现在他们尝试登录,但是当然不起作用,因为companyname.com与我们的.mydomain.com的cookie域不匹配.
However, the user has the option to point their own domain name to our site, and have it mirror what they would see if they went to companyname.mydomain.com. So let's say they register the domain companyname.com, point its A record to our server, and then specify on our site that they want to have their url be companyname.com instead of companyname.mydomain.com. They go to companyname.com, it shows the login page for their section of our site. Now they try to login, and of course, it doesn't work, as companyname.com doesn't match our cookie domain of .mydomain.com.
我们为什么不完全不在web.config中设置httpCookies域?因为那样的话,如果他们在www.mydomain.com上并尝试登录到companyname.mydomain.com,则它将失败,因为cookie将用于www.mydomain.com.
Why don't we just not set the httpCookies domain in the web.config altogether? Because then if they're on www.mydomain.com and try to login to companyname.mydomain.com, it will fail, as the cookie will be for www.mydomain.com.
我们需要说些什么,嘿,此用户的请求来自非mydomain.com的域,请将此用户的FormsAuthentication cookie的域设置为其域名,而不是.mydomain.com.
We need some way to say, hey this user's request is coming from a domain other than mydomain.com, set the domain for this user's FormsAuthentication cookie to their domain name rather than .mydomain.com.
任何想法?
推荐答案
我意识到这种方法行不通,因为出于安全考虑,您无法为不在该域中的域设置Cookie.
I realized that this approach wouldn't work, as you can't set a cookie for a domain that you're not on due to security implications.
相反,我现在要做的是尝试登录,然后检查我们必须重定向到的域是否是我们当前所在的域.如果是这样,那么我们设置身份验证票证并重定向到安全部分.如果我们不在重定向到的域上,则将其从currentdomain.com/validatelogin重定向到newdomain.com/validatelogin,然后将执行相同的检查,是的,我们在我们正在使用的域上重定向到,因此设置auth cookie,然后关闭.
Instead, what I now do is try to login, and then check if the domain that we have to redirect to is the domain that we're currently on. If so then we set the auth ticket and redirect to the secure section. If we're not on the domain that we're redirecting to, we redirect from the currentdomain.com/validatelogin to the newdomain.com/validatelogin, and then the same check will run, yes we're on the domain we're redirecting to, so set the auth cookie and off we go.
这篇关于以编程方式在ASP.NET MVC中为每个用户设置Cookie域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
