从另一个域获取发布的数据时，ASP.NET Web表单会丢失会话 [英] ASP.NET webform loses session when getting posted data from another domain

问题描述

简单地:

1. 在网站中用户登录并创建一些会话对象.

1. In website A user logs in and creates some session objects.

网站A使用Response.Redirect将用户重定向到网站B中的页面.

Website A redirects user to a page in website B using Response.Redirect.

网站B使用提交按钮将表单集合发布到网站A上的页面.

Website B POSTs a form collection to a page on website A using a submit button.

在此特定点上，此特定用户的所有会话均丢失，Session_Start再次触发.

On this specific point all sessions of this specific user are lost and Session_Start fires again.

这对于本地主机域和生产域都是相同的.

This is the same for both localhost and production domains.

当两个页面都在同一个域中时，这是可以的，而在两个单独的域中会出现问题.

This is OK when both pages are on the same domain, problem occurs with two separate domains.

在步骤3中，当使用链接而不是按钮返回网站A(显然是wieemsh完全限定域名)时，一切正常，并且存在会话.

On step 3 when using a link instead of the button to return to website A (apparently wieemsh fully qualified domain name), everything is ok and sessions exist.

似乎是跨平台提交/POST问题.

Seems it's a cross platform submit/POST problem.

会话是带有Cookie的InProc，不能更改此设置.

Sessions are InProc with cookies, changing this setting is not an option.

感谢您的关注.

P.S.对此进行谷歌搜索，发现从一页重定向到另一页时，存在某种类似的丢失会话"问题.这不是响应引起的.重定向.

P.S. googling this, I found out that there is somehow similar 'losing session' problem when redirecting from one page to another. this is not caused by response.Redirect.

修改

此问题很可能是由SameSite Cookie策略引起的.我在几种条件下进行了几次测试，但仍然无法确认.

There is a probability that this problem is caused by SameSite Cookie Policy. I ran several tests on several conditions and I cannot still confirm this.

推荐答案

首先，这是一个4.7.1 ASP.NET Webform项目，因此，如果您使用的是MVC，则只能获得一些线索.

First This was a 4.7.1 ASP.NET webform project, so if you are on MVC you can only get some clue.

@ JohnPete22提到

As @JohnPete22 mentioned This Article says SameSite Cookie Policy (as a new security measure) is for 4.7.2 and above in which you have some control, at least, to turn it ON or OFF, but what it doesn't say is that it also affects 4.7.1 projects as well with no controls over the feature, to be precise, it is always ON but control commands are not recognized by .NET framework version (I'm not aware of any .NET update to solve this). This is why posting back to a page on a separate domain looses form collection data: to maintain cross domain security.

注意:这不是解决方案，而是一种解决方法:

Note: this is not a solution, rather it's a workaround:

1. 将您的项目更新为4.7.2以启用SameSite模式，这没什么大不了的.

1. Update your project to 4.7.2 to enable SameSite modes, this is not a big deal.

将此代码添加到Global.asax Session_Start事件

Add this code to Global.asax Session_Start event

if (Response.Cookies["ASP.NET_SessionId"] != null)
{
    Response.Cookies["ASP.NET_SessionId"].SameSite = SameSiteMode.None;

    // Optional - This makes the feature secure
    // if (Request.IsSecureConnection)
    //      Response.Cookies["ASP.NET_SessionId"].Secure = true;
}

我测试了其他选项 SameSiteMode.Strict 和 SameSiteMode.Lax ，但是没有用，所以我只是关闭了该功能.

I tested other options SameSiteMode.Strict and SameSiteMode.Lax but did not work so I simply turned the feature off.

将其添加到Web.Config System.Web部分:

Add this to Web.Config System.Web section:

<sessionState mode="InProc" cookieless="UseCookies" />

为加强安全性，您可以考虑使用 Request.UrlReferrer?.ToString()检查源网站，并相应地更改SameSite模式.

To enforce better security, you may consider checking source website with Request.UrlReferrer?.ToString() and change SameSite mode accordingly.

仅此而已，伙计们！.

这篇关于从另一个域获取发布的数据时，ASP.NET Web表单会丢失会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！