网络安全在IE VS Chrome浏览器和火狐(错误) [英] Web Security in IE VS Chrome & Firefox (bug)

查看:245
本文介绍了网络安全在IE VS Chrome浏览器和火狐(错误)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

详细内容:

我有两个应用程序

一个是一个简单的 HTML 应用程序,另一个是 ASP.NET MVC4的WebAPI 应用程序和项目内相同的解决方案中,我已经设置多个初创项目运行同一时间的应用程序。

One is a simple HTML application and another one is an ASP.NET MVC4 WebApi application and the projects are inside of same solution and i have set multiple start-up project for run the application for same time .

工作版:

我已经在Web API项目中使用的Web安全。我做了全面落实网络安全的...

I have Used Web Security in the Web API project. I did full implementation of web security...

登录行动code 

// GET api/company
[System.Web.Http.AcceptVerbs("Post")]
[System.Web.Http.HttpPost]
public HttpResponseMessage Login(LoginRequest loginRequest)
{
    try
    {
        if (WebSecurity.Login(loginRequest.EmailAddress, loginRequest.Password, true))
        {
            var userDetails = new string[2];
            userDetails[0] = loginRequest.EmailAddress;
            var currentUSerRole = Roles.GetRolesForUser(loginRequest.EmailAddress);
            userDetails[1] = currentUSerRole[0].ToString();
            HttpResponseMessage response =
                Request.CreateResponse(HttpStatusCode.Accepted, userDetails);
            return response;
        }
        else
        {
            HttpResponseMessage response
                = Request.CreateResponse(HttpStatusCode.Unauthorized);
            return response;
        }
    }
    catch (Exception e)
    {
            HttpResponseMessage response
            = Request.CreateResponse(HttpStatusCode.Unauthorized);
           return response;
    }  
}

* WebSecurity.Login * 正在所有的浏览器,当我使用调用登录方法阿贾克斯
但我在另一个控制器的另一种方法,即命名为 CurrentDateAndUser

*WebSecurity.Login* is working on all browsers when i call the login method using Ajax. But I have another method in another controller, That named as CurrentDateAndUser

code: 

[AllowAnonymous]
[System.Web.Http.AcceptVerbs("Get")]
[System.Web.Http.HttpGet]
public HttpResponseMessage CurrentDateAndUser()
{
    if (WebSecurity.IsAuthenticated)
    {
        int userId = WebSecurity.CurrentUserId;
        string[] currentDateAndUSerId = new string[2];
        currentDateAndUSerId[0] = userId.ToString();
        currentDateAndUSerId[1] = DateTime.UtcNow.ToString();

        HttpResponseMessage response =
            Request.CreateResponse(HttpStatusCode.Accepted, currentDateAndUSerId);
        return response;
    }
    HttpResponseMessage responseNew =
        Request.CreateResponse(HttpStatusCode.NotAcceptable);
    return responseNew;
}

问题:


  • 如果我打电话从Microsoft Internet Explorer使用Ajax调用 CurrentDateAndUser 方法,然后一切正常。在 WebSecurity.IsAuthenticated 返回true,并且运作良好。

  • If I call the CurrentDateAndUser method from Microsoft Internet Explorer Using an Ajax call, then everything works. The WebSecurity.IsAuthenticated returns true and is working well.

然而


  • 如果我把从谷歌浏览器或Mozilla Firefox使用Ajax调用 CurrentDateAndUser 方法,那么没有什么作品。在 WebSecurity.IsAuthenticated 始终返回false。

  • If I call the CurrentDateAndUser method from Google Chrome Or Mozilla Firefox using an Ajax call, then nothing works. The WebSecurity.IsAuthenticated always returns false.

我不知道为什么。如果你有任何想法,那么请让我知道。

我也发现了类似的问题(不知道这是一个真正的问题):

当我使用Fiddler运行我的申请,我看到一个不同的结果:

When I run my application with Fiddler, I see a different result:

当我打电话从IE中的 CurrentDateAndUser 方法,请求为:

When i call the CurrentDateAndUser method from IE, the request is:

我可以看到库克/上述图像登录值

I can see the Cooke/Login values in above image

但是,当我打电话从Chrome和Firefox的 CurrentDateAndUser 方法,请求为:

But When i call the CurrentDateAndUser method from Chrome And Firefox , the request is:

我看不到Cookie值,这意味着网​​络Security.IsAuthenticated 属性返回

I can't see the cookie values, meaning that the Web Security.IsAuthenticated property is returning false.

它是错误的 WebSecurity ?????

Is it Bug in WebSecurity?????

我的Ajax请求code是 

function GetCurrentUserId() { 
    return $.ajax({
        method: 'GET',
        url: rootUrl + '/api/Common/CurrentDateAndUser',
        async: false
    }).success(function (response) {
        return response[0];

    }).error(function () {
        toastr.error('Somthing is wrong', 'Error');
    })
}

此请求当我运行在Chrome和Firefox的应用程序不发送验证Cookie值的Web API的方法,但是,这个请求发送cookie值到API的方法,如果在IE

我已经发布了图片,请在上面的图片来看看

推荐答案

这个问题是不是与网络安全可言,它与您实现您的安全的方式。你不应该使用用户ID,电子邮件或任何在饼干很重要的。

The issue is not with web security at all, it's with the way you implement your security. You should never be using a userid, email, or anything important in the cookies.

我会建议你使用 FormsAuthentication 类加密和解密你的cookies,即使如此,单店的东西,如的SessionID加上会话ID的自定义哈希验证你的自我,当你解密的cookie

I would suggest you use the FormsAuthentication class to encrypt and decrypt your cookies, and even so, only store something such as the SessionID plus a custom hash of that session ID to verify your self when you decrypt the cookie

下面是一个给人以pretty很好的例子,一个网站的http://www.c-sharpcorner.com/uploadfile/nipuntomar/update-formsauthenticationticket/

Here is a site that gives a pretty good example: http://www.c-sharpcorner.com/uploadfile/nipuntomar/update-formsauthenticationticket/

这篇关于网络安全在IE VS Chrome浏览器和火狐(错误)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆