正确创建跨域的窗体身份验证cookie [英] Proper creation of a cross-domain forms authentication cookie
问题描述
我只是创建了两个服务器之间的简单测试。基本上如果用户已经通过身份验证我希望能够在应用程序之间传递它们。我改变了按键隐藏
我有三个问题:
- 什么是验证跨域应用该cookie的正确方法。例如,当在
successpage.aspx用户登陆我应该被检查? - 是低于code有效期为创建一个跨域身份验证cookie?
- 请我有我的
的web.config设置是否正确?
我的code:
如果(认证==真)
{
//FormsAuthentication.SetAuthCookie(userName,FALSE);
布尔IsPersistent = TRUE;
日期时间EXPIRATIONDATE =新的DateTime();
如果(IsPersistent)
EXPIRATIONDATE = DateTime.Now.AddYears(1);
其他
EXPIRATIONDATE = DateTime.Now.AddMinutes(300); 的FormsAuthenticationTicket票=新的FormsAuthenticationTicket(
1,
userAuthName,
DateTime.Now,
截止日期,
IsPersistent,
userAuthName,
FormsAuthentication.FormsCookiePath); 字符串ETH = FormsAuthentication.Encrypt(票);
的HttpCookie饼干=新的HttpCookie(FormsAuthentication.FormsCookieName,ETH);
如果(IsPersistent)
cookie.Expires = ticket.Expiration; cookie.Domain =.mydomain.com来;
Response.SetCookie(饼干);
Response.Cookies.Add(饼干); 的Response.Redirect(successpage.aspx);
}
我的配置:
<身份验证模式=表格>
<形式loginUrl =〜/ Default.aspx的超时=2880的名字=域=myDomain.com无Cookie =UseCookiesenableCrossAp predirects =真/&GTAUTHCOOKIE。
< /认证>
<的customErrors模式=关的defaultRedirect =failure.aspx/>
<的machineKey decryptionKey =@的validationKey =*确认=SHA1解密=AES/>
什么是验证跨域应用该cookie的正确方法。
例如,当在successpage.aspx用户登陆我应该被检查?不应该有任何检查。 Forms身份验证机制就会从cookie中检索的车票,检查它是否有效。如果没有present或无效,用户将重定向到〜/ Default.aspx的。
这将工作的提供您的Cookie你的web.config的配置相匹配
是低于code有效期为创建一个跨域身份验证cookie?
我觉得你不应该尝试通过手动处理cookie来覆盖你的web.config的设置。我认为有用于处理Cookie持久性(见下面的web.config)更好的方式和你只是实现Forms验证API的一部分(SSL例如松动的web.config)
- 在这里,你的手工饼干是不是仅Http:例如,你可以受到偷窃的cookie通过XSS
- FormsAuthentication都有自己的处理饼干(见的 http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx )你的Cookie持久性机制将通过该自动被覆盖行为
您code应该仅仅是:
如果(认证)
{
布尔isPersistent = whateverIwant;
FormsAuthentication.SetAuthCookie(用户名,isPersistent);
的Response.Redirect(successpage.aspx);
}
我有我的web.config的设置是否正确?
应该是确定该域的属性,只要你想分享mydomain.com的子域直接认证中(它不会xymydomain.com工作),而mydomain.com是不是在公共后缀列表( http://publicsuffix.org/list/ )
我要更改超时和slidingExpiration属性:
<AUTHCOOKIE形式loginUrl =〜/ Default.aspx的超时=525600slidingExpiration =假名称=域=myDomain.com无Cookie = UseCookiesenableCrossAp predirects =真/>我想这是处理1年永久Cookie和会话Cookie之间的选择的好方法。请参见 http://stackoverflow.com/a/3748723/1236044 了解更多信息。
I'm just creating a simple test between two server. Basically if a user has already authenticated I want to be able to pass them between applications. I changed the keys to hide them
I have three questions:
- What is the proper way to validate the cookie across domain application. For example, when the user lands at
successpage.aspxwhat should I be checking for?- Is the below code valid for creating a cross domain authentication cookie?
- Do I have my
web.configsetup properly?My code:
if (authenticated == true) { //FormsAuthentication.SetAuthCookie(userName, false); bool IsPersistent = true; DateTime expirationDate = new DateTime(); if (IsPersistent) expirationDate = DateTime.Now.AddYears(1); else expirationDate = DateTime.Now.AddMinutes(300); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, userAuthName, DateTime.Now, expirationDate, IsPersistent, userAuthName, FormsAuthentication.FormsCookiePath); string eth = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, eth); if (IsPersistent) cookie.Expires = ticket.Expiration; cookie.Domain = ".myDomain.com"; Response.SetCookie(cookie); Response.Cookies.Add(cookie); Response.Redirect("successpage.aspx"); }My config:
<authentication mode="Forms"> <forms loginUrl="~/Default.aspx" timeout="2880" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/> </authentication> <customErrors mode="Off" defaultRedirect="failure.aspx" /> <machineKey decryptionKey="@" validationKey="*" validation="SHA1" decryption="AES"/>
解决方案What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for ?
There shouldn't be anything to check. Forms authentication mechanism will retrieve the ticket from the cookie, check if it is valid. If not present, or invalid, user will redirected to ~/Default.aspx . This will work provided your cookie matches the configuration of your web.config
Is the below code valid for creating a cross domain authentication cookie ?
I think you shouldn't try to override the settings of your web.config by manually handling the cookie. I think there are better ways for handling cookie persistence (see below for web.config) and you are just implementing a part of the Forms authentication API (loosing web.config for SSL for example )
- here, your manual cookie is not HttpOnly : you could for example be subject to cookie theft through XSS
- FormsAuthentication has its own way of handling the cookie (see the TimeOut attribute description in http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx) Your cookie persistence mechanism will be overwritten by this automatic behavior
Your code should just be :
if (authenticated) { bool isPersistent = whateverIwant; FormsAuthentication.SetAuthCookie(userName, isPersistent ); Response.Redirect("successpage.aspx"); }
Do I have my web.config setup properly?
It should be ok for the domain attribute, as long as you want to share authentication among direct subdomains of mydomain.com (it won't work for x.y.mydomain.com), and mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ )
I would change the timeout and slidingExpiration attributes to :
<forms loginUrl="~/Default.aspx" timeout="525600" slidingExpiration="false" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>I guess it is a good way to handle the choice between one year persistent cookies and session cookies. See http://stackoverflow.com/a/3748723/1236044 for more info
这篇关于正确创建跨域的窗体身份验证cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
