EnableCrossAp predirects - 在哪里跨域功能记录？ [英] EnableCrossAppRedirects - Where is the cross-domain feature documented?

问题描述

下面ASP.NET FormsAuthentication的一个有趣的特点，在这说明SO回答：<一href=\"http://stackoverflow.com/questions/72125/how-do-you-pass-an-authenticaticated-session-between-app-domains/73077#73077\">How你通过应用程序域之间的authenticaticated会议

Here an interesting feature of ASP.NET FormsAuthentication explained in this SO answer: How do you pass an authenticaticated session between app domains

快速摘要;你可以创建具有相同的加密密钥2 ASP.NET网站。 WebsiteA可以创建一个formsauth令牌和重定向在查询字符串令牌（或POST身体）WebsiteB。交换机在WebsiteB和ASP.NET EnableCrossAp predirects检测令牌并创建formsauth的cookie。在code：

Quick summary; you can create two ASP.NET websites with the same encryption keys. WebsiteA can create a formsauth token, and redirect to WebsiteB with the token in the querystring (or POST body). Switch on EnableCrossAppRedirects in WebsiteB and ASP.NET detects the token and creates the formsauth cookie. In code:

FormsAuthentication.RedirectFromLoginPage("alice", true);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket("Alice", true, 30);
string encrypted = FormsAuthentication.Encrypt(ticket);
Response.Redirect("http://siteb.dev/Secure/WebForm1.aspx?" + FormsAuthentication.FormsCookieName + "=" + encrypted);

听起来像一个伟大的功能，但它在哪儿记录？我觉得的位的不安使用无证功能。

在哪里我已经看了 - 没有提到这个功能在任何的MSDN参考。我想，也许RedirectFromLoginPage将建立像上面我的code重定向，它没有。

Where I've looked - no mention of this feature in any of the MSDN reference. I thought maybe RedirectFromLoginPage would build a redirect like my code above, it doesn't.

• EnableCrossAp$p$pdirects - 是RedirectFromLoginPage方法中选中时重定向URL并不指向一个页面在当前应用程序如果EnableCrossAp predirects为真，则执行重定向


• 表单验证跨应用程序 - 在这样一个cookie设置创建本机键一些建议上一个子域，一无所知EnableCrossAp predirects


• 表单元素进行验证

• EnableCrossAppRedirects - "is checked within the RedirectFromLoginPage method when the redirect URL does not point to a page in the current application. If EnableCrossAppRedirects is true, then the redirect is performed"
• Forms Authentication Across Applications - some advice on setting the machine keys so that a cookie created on a sub-domain, nothing about EnableCrossAppRedirects
• forms Element for authentication

推荐答案

说完看着反射存在形式验证的（有点无证）功能。当 EnableCrossAp predirects 启用了.NET会，除了寻找权威性的cookie，试图无论从形式邮寄或提取窗体身份验证曲奇查询字符串。这code嵌入在 FormsAuthentication 类中的 ExtractTicketFromCookie 方法，它可以清楚地被视为试图发现在请求数据的验证cookie。

Having looked at reflector there is a (somewhat undocumented) feature of forms Authentication. When EnableCrossAppRedirects is enabled .NET will, in addition to looking for the auth cookie, attempt to extract the forms authentication "cookie" from either the form post or the query string. This code is embedded in the FormsAuthentication class in the ExtractTicketFromCookie method, where it can clearly been seen trying to find the authentication cookie in the request data.

if (FormsAuthentication.EnableCrossAppRedirects)
{
    text = context.Request.QueryString[name];
    if (text != null && text.Length > 1)
    {
        if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)
        {
            cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode);
        }
        try
        {
            formsAuthenticationTicket = FormsAuthentication.Decrypt(text);
        }
        catch
        {
            flag2 = true;
        }
        if (formsAuthenticationTicket == null)
        {
            flag2 = true;
        }
    }
    if (formsAuthenticationTicket == null || formsAuthenticationTicket.Expired)
    {
        text = context.Request.Form[name];
        if (text != null && text.Length > 1)
        {
            if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)
            {
                cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode);
            }
            try
            {
                formsAuthenticationTicket = FormsAuthentication.Decrypt(text);
            }
            catch
            {
                flag2 = true;
            }
            if (formsAuthenticationTicket == null)
            {
                flag2 = true;
            }
        }
    }
}

因此​​，如果您启用 EnableCrossAp predirects 在这两个应用程序，那么第一个应用程序被授权重定向到外部网站，第二个应用程序会自动读取从请求身份验证cookie。你只需要工程师它，以便返回登录URL或者职位cookie数据或查询字符串发送。你还需要确保，无论是机按键是同步的，或者说，cookie的使用外部应用程序的机器密钥（由第一个应用程序）进行加密。这似乎在默认情况下.NET将发送加密的身份验证cookie中的查询字符串为您和您的asume计算机密钥是同步的（参见下面的MSDN引号）。

Therefore if you enable EnableCrossAppRedirects on both applications, then the first application is authorised to redirect to the external site, and the second application will automatically read in the authentication cookie from the request. You just need to engineer it so that the return login URL either posts the cookie data or sends it in the querystring. You also need to be sure that either the machine keys are synchronised, or that the cookie is encrypted using the external apps machine key (by the first app). It seems by default .NET will send the encrypted authentication cookie in the querystring for you and asume your machine keys are in sync (see MSDN quote below).

下面是MSDN上一些信息。

Here's some more info on MSDN .

如果该CookiesSupported属性为true，要不就是RETURNURL
  变量是当前应用程序或内
  EnableCrossAp predirects属性为true，则
  RedirectFromLoginPage方法发出一个身份验证票证和
  使用方法SetAuthCookie把它放在默认的Cookie。

If the CookiesSupported property is true, and either the ReturnUrl variable is within the current application or the EnableCrossAppRedirects property is true, then the RedirectFromLoginPage method issues an authentication ticket and places it in the default cookie using the SetAuthCookie method.

如果CookiesSupported是假的，重定向路径是在一个网址
  当前的应用程序，该票据已作为重定向URL的一部分。
  如果CookiesSupported是假的，EnableCrossAp predirects是真实的，而
  重定向URL不会将当前应用程序中指向一个页面，
  该RedirectFromLoginPage方法发出一个身份验证票证和
  把它放在QueryString属性

If CookiesSupported is false and the redirect path is to a URL in the current application, the ticket is issued as part of the redirect URL. If CookiesSupported is false, EnableCrossAppRedirects is true, and the redirect URL does not refer to a page within the current application, the RedirectFromLoginPage method issues an authentication ticket and places it in the QueryString property.

有是关于安全的影响很大警告。 EnableCrossAp predirects 是一个安全设置，而美元的重定向到一个外部返回URL（其他Web应用程序）p $ pvents ASP.NET登录控件。通过启用此设置可以在某些形式的攻击所利用 - 用户被发送到官方登录页面，但在登录时会被重定向到一个不同的应用程序，他们可能会认为是一样的。这就是为什么它默认是禁用的。

There is a big warning about the impact on security. EnableCrossAppRedirects is a security setting which prevents ASP.NET login controls from redirecting to an external return URL (another web application). With this setting enabled it can be exploited in some forms of attack - a user is sent to the official login page, but on login is redirected to a different application which they may believe is the same. This is why it's disabled by default.

一个方法来帮助缓解这种启用该功能是当如下：

One way to help mitigate this when enabling the feature is as follows:

要使用跨应用重定向时提高安全性，你应该
  覆盖RedirectFromLoginPage方法，以允许重定向只
  批准的网站。

To improve security when using cross-application redirects, you should override the RedirectFromLoginPage method to allow redirects only to approved Web sites.

您还需要确保请求服务过SSL来保护在途曲奇重定向，因为任何人都截获将能够获得帐户控制权。

You also need to ensure the redirect request is served over SSL to protect the "cookie" in transit, as anyone intercepting would be able to gain control of the account.

这篇关于EnableCrossAp predirects - 在哪里跨域功能记录？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！