ASP.NET WebForms Authentication Logout, Cookie 仍可用于访问站点 [英] ASP.NET WebForms Authentication Logout, Cookie can still be used to access site
问题描述
我一直在用头撞墙并为此在网上搜索,但我认为我在理解将用户从 asp.net webforms 应用程序中注销的整个过程时遇到了问题.问题:我能够登录到我的应用程序并且它使用 cookie,所以我在浏览器中设置了我的 cookie.这是配置表单身份验证部分,
I have been banging my head against the wall and searching the web for this but I think I am having issues understanding the whole process of logging users out of an asp.net webforms application. The issue: I am able to log in to my application and it uses cookies, so I have my cookie set in the browser. here is the config forms authentication section,
<forms loginUrl="login.aspx" timeout="15" protection="All" name="Domain.MYDOMAIN" path="/" domain="mysite.local" cookieless="UseDeviceProfile"/>
这里是前端控件
<li><asp:LoginStatus ID="LoginStatus1" runat="server" OnLoggedOut="OnLoggedOut" /></li>
在 OnLoggedOut 方法中,我们做这样的事情.
In the OnLoggedOut Method we do something like this.
protected void OnLoggedOut(object sender, EventArgs e)
{
FormsAuthentication.SignOut();
/* Abandon session object to destroy all session variables */
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
Response.Redirect("~/login.aspx");
}
这将从浏览器中清除 cookie.但是如果在我这样做之前我复制了 Domain.MYDOMAIN = "whatever it would be"
This will clear the cookies from the browser. But if before I do this I copy the cookie name pair value of Domain.MYDOMAIN = "what ever it would be"
并将其添加到邮递员呼叫中,它仍然显示我已登录!非常令人沮丧.当我登录
and add that to a postman call, it is still showing me as logged in! Very frustrating. when I am logged in
我使用上面提到的注销按钮注销并删除了cookie
I log out using the logout button mentioned above and the cookie is removed
然后我将该 cookie 带到 Postman 并调用登录/默认页面,它显示我仍然处于登录状态!!!
Then I take that cookie to Postman and make the call to the landing / default page and it is showing me as logged in still!!!
我一直在读到 cookie 与票"有关,但我不确定如何在服务器端使该票过期.一旦用户单击注销,我不希望再次使用此 cookie 值来访问页面,应用程序中的任何页面.任何帮助,将不胜感激!谢谢!
I have been reading that the cookie is related to a "ticket" but I am not sure how to expire that ticket on the server side. Once the user clicks logout I dont want this cookie value to be used again to reach a page, any page within the application. Any help would be appreciated! Thank You!
旁注:我的会话状态设置为 InProc
Side Note: I have my session state set to InProc
<sessionState mode="InProc" />
推荐答案
用户通过用户名和密码进行身份验证,然后我们设置了一个有超时时间的cookie,这个cookie让他登录.
Ones the user is authenticate with user name and password, then we set a cookie that have a time out and this cookie let him login.
即使您从一个浏览器中删除了 cookie,如果您仍然拥有它并重新放置它 - 您允许再次登录,因为 cookie 给出了OK"来这样做.
Even if you delete the cookie from one browser, if you still have it and place it again – you permit to login again because the cookie is gives the "OK" to do that.
这不仅在 asp.net 上,而且无处不在(微软、谷歌、Facebook).
This is not only on asp.net but everywhere (Microsoft, google, Facebook).
为了增加额外的安全层,并避免有人窃取 cookie:
To add an extra layer of security, and avoid to someone steal the cookie:
第一步是仅对 cookie (*) 强制使用 SSL.
<httpCookies httpOnlyCookies="true" requireSSL="true"/>.使用它,您将很难甚至不可能窃取 cookie
First step is to force only the SSL for the cookies (*).
<httpCookies httpOnlyCookies="true" requireSSL="true" />. Using that you make it difficult to impossible to steal the cookie
第二步是注销以将该 cookie 保存在数据库中,然后在每次请求时检查 cookie 是否已注销第三步也是检查cookie是否来自同一个浏览器id.
Second step is on logout to save that cookie on a database, then on every request check if the cookies have been logged out Third step is to also check if the cookie come from the same browser id.
因此,您将 cookie 与浏览器数据以及用户按下注销的标志连接起来.
So, you connect the cookie with the browser data, and with a flag that the user press the logout.
您对 global.asax 进行检查
You make that checks on global.asax
protected void Application_BeginRequest(Object sender, EventArgs e)
<小时>
(*) 第一步:黑客可以窃取用户的网络浏览器cookie并使用该名称登录网站吗?
困难的方法是为数据库添加额外的保护层,并将 cookie 与我所说的其他用户信息、浏览器 ID 和一个标志(如果已注销)连接起来.主要思想是将您设置的经过身份验证的 cookie 保留在服务器上并仔细检查它 - 现在您不这样做了.
The difficult way is to add the database extra layer of protection and connect the cookie with other user information's as I say, the browser id, and a flag if have been logged out. The main idea is to keep on server the authenticated cookie that you have set and double check it - now you don't do that.
这篇关于ASP.NET WebForms Authentication Logout, Cookie 仍可用于访问站点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
